That is great that they responded to you but they should't have been scanning their system. The issue is not with them specifically, rather with the infrastructure its running on I.E. Android. The compromised app once installed is logging information that should be secured in a TEE (trusted execution envirnoment) which is a secure part of the CPU on your device. This would be best practice for android devices but they may not use it due to lazy devs etc. Apple do not use TEE on their devices, they use TAP (trusted application protocol I believe) just as an FYI.

I haven't seen the detail on where the malware is picking up the information, I.E. if its in a TEE but I highly doubt it. I would say that it is monitoring transactions like device to server etc.