The fake app is probably more malicious than the original app - if you read the terms and conditions it is true that the app records everywhere you scan, but does not track actual GPS location / does not access storage or camera / mike except when you allow it for a second to scan the QR code...
Also, the app does not upload anything to any server, it only receives locations where alerts have been published, and checks if any of the locations visited at that time is a match.
It is strange that people are suddenly so concerned about privacy, when they already accepted to give all their browsing / location / shopping data to apple / google / octopus / amazon etc.