The 33-page report flagged a fake Android app posing as CJP’s official app as a malware threat capable of hacking devices and stealing user data