This was inevitable. But Android handled it well.
...and it won't be the last time either. Thankfully, Android pulls all the stops to make sure malware gets minimal privileges. Separate UIDs, separate SELinux contexts (same types, separate categories) and in the future, separate namespaces and seccomp-bpf to limit syscalls.
I fear the day someone deliberately modifies a popular freeware desktop app on Linux/Windows/macOS and actually slurps data en-masse. Desktop systems need proper hardening ASAP.