[megous]

Yeah. Go review eg. okta verify apk and tell me it doesn't do anything nefarious. It's an app that basically just does a TOTP hash from some short secret for all I care/use it for. I can probably implement what it does for me in about 200-300 lines of C code without any dependencies.

The shit app has 60 MiB compressed. I was not even able to find where in the code it works with the damn secrets it uses for TOTP.

Now do WhatsApp with its zillion features.

If you mean that it's hard to explain away for the devs themselves, then people do much worse things in this world, and are able explain it to themselves just fine as something good, even.