If one were to decompile and check what the app is doing, I'd guess it would still be a good idea to not say so on a public forum. Especially, in cases where there is so much public attention. :)
I agree with what you're saying about not going public immediately if anything malicious had been discovered, but then they probably wouldn't have written:
> We will thus hold back the banning of the url for now [...]
If on the other hand it's really just some benign leftover example code downloading the image and not doing anything with it later as has been suggested and is indeed the most likely, there'd be no harm in confirming that's the case.
They went to great lengths with their investigation, and this would be the obvious final step to wrap it up. Posting a couple of the relevant .smali lines wouldn't have to reveal the name of the app in question (which at this point can be identified by anyone sufficiently motivated anyway).
