With one update, this malicious Android app hijacked millions of devices