Attackers hid malware within a legitimate app, giving hackers access to communication and location data, says security firm CrowdStrike.