And yet....
This isn't a "drive-by" attack, there is outright social engineering involved to get someone to run this app, and as we all know once you can convince a user to run a program, all bets are off.
Furthermore, once it is on a system, to remove it all you do is kill the task and delete the program right there in applications.
I have no doubt that something truly nasty for OSX is coming someday, but this still isn't it.