The concern is not about "malware," per se, embedded in the app, but that the app is harvesting valuable data and shipping it off to Google for who knows what. The point is that the user would never notice malicious behavior because, to most users, it wouldn't be considered malicious at all. So the app took some pictures and sent them to Google; big deal! Most likely that code is in there somewhere, and your average person will know exactly what it's doing and not think twice about it.
And Google isn't stupid; if they want to hide something (which again, they probably don't), the dumbest thing they could possibly do is obfuscate the bytecode. That sets off red flags and alarms everywhere, and suddenly there's thousands of skilled RE's analyzing the app (a lot of them just for the challenge, which is far more compelling with a big name like Google involved), whereas right now all we have is the occasional tech blog doing a cursory overview (which is all your link is, btw). Also, there's far better ways to hide code than blanket obfuscation. Like I said, that's probably the worst way to do it. And no, there's no way to prevent reverse engineering of an app. It's impossible in practice, and I've actually worked on the theoretical side of that, and while I don't have a formal proof that it's impossible, I'm pretty darn sure it is.
The point of the OP isn't that it might be malicious in the traditional sense; it's that the CIA may be involved, and if they are, they'll be scooping up massive swaths of data (and again, the code involved here will be completely ignored by most any reverse engineer because it's completely mundane: uploading a picture) and we have no idea what they'll use that data for.
Thanks, @modprobe. That's exactly what I wanted to say.
Massive volumes of data are sent to servers and nobody can find out and check how the data are really used. Whether it's used by CIA or just for app analytics. And even if it's not used by CIA at the moment nobody can guarantee that it won't be used by them futher!
It's still not what everybody are talking about (photo/video recording). The amount of data which can probably be sent to somebody is not bigger as it would be if you used your Google or Apple maps.
The code is there somewhere is not actually an answer. It should be there or all the theories are just attempts to gather some attention. And there are not only thousands of REs, as I've mentioned, the code was explored by the game hackers and clone makers too.
And yes, you can check the amount of data that the game sends. It will require an android device, some services disabled, some tools installed.