This is quite scary stuff and a bit shocking. That's why I will always stick with my "trust no app" motto. Even trusted software shouldn't be fully trusted.
FinFisher also exposes the need for two-factor authorization in app software downloading. This can be done manually by comparing the hash of the download file to the hash of the download present on the legit vendors web site. There is also the question of whether the bogus downloads were validity signed which was not addressed in the Eset article. I assume they weren't and is also a manual validation everyone should perform prior to installing any app software from a vendor known to sign their software.