The concern is not about "malware," per se, embedded in the app, but that the app is harvesting valuable data and shipping it off to Google for who knows what. The point is that the user would never notice malicious behavior because, to most users, it wouldn't be considered malicious at all. So the app took some pictures and sent them to Google; big deal! Most likely that code is in there somewhere, and your average person will know exactly what it's doing and not think twice about it.
And Google isn't stupid; if they want to hide something (which again, they probably don't), the dumbest thing they could possibly do is obfuscate the bytecode. That sets off red flags and alarms everywhere, and suddenly there's thousands of skilled RE's analyzing the app (a lot of them just for the challenge, which is far more compelling with a big name like Google involved), whereas right now all we have is the occasional tech blog doing a cursory overview (which is all your link is, btw). Also, there's far better ways to hide code than blanket obfuscation. Like I said, that's probably the worst way to do it. And no, there's no way to prevent reverse engineering of an app. It's impossible in practice, and I've actually worked on the theoretical side of that, and while I don't have a formal proof that it's impossible, I'm pretty darn sure it is.
The point of the OP isn't that it might be malicious in the traditional sense; it's that the CIA may be involved, and if they are, they'll be scooping up massive swaths of data (and again, the code involved here will be completely ignored by most any reverse engineer because it's completely mundane: uploading a picture) and we have no idea what they'll use that data for.
RE: CIA and PokemonGO: Welcome to a New ERA of Covert Surveillance!