Usually done like this, a bug hunter finds a vulnerability, studies it. Then he notifies those in whose structure this vulnerability is located, waits for some time, if there is no progress to eliminate the vulnerability - publishes an article on a thematic resource, uses vulnerabilities, scores on this matter - everything is within his imagination.
However, there is responsibility for actions. If the communication contract contains clauses on abnormal actions regarding communication services, then they can do it for it. The best profit in the first place is the compilation of articles, gaining experience and fame as a specialist, and only then the benefit received from oversights.

- Search for the creator of the application to punish him / initiate a criminal case

If the agreement prohibits the use of this, but due to some error it is technically possible, then making a significant profit from this bug or writing a program to exploit it for personal gain is already a criminal offense under Russian law.

There is a way to beautifully resolve the situation. To do this, you need to compose a competent disclaimer, add it to the license from above , add it to the description on Makret (or any site where the publication takes place) from above , even if this somewhat contradicts the marketing approach, and add a pop-up window with this text in large size to the application itself font so that the window cannot be closed earlier than after N (let's say N = 5) seconds and so that the application functionality becomes available only after the user clicks on the "I accept the terms" button.
In the disclaimer itself, indicate that the user is personally fully responsible for any consequences of using this software and possible damage to a third party ... In general, google "as is, disclaimer" and translate.
The provider itself, of course, will not stop trying to put pressure on you and on the sites that host your software by any means. Be prepared that your application will crash from the Market very quickly. But if you arrange everything correctly and do not use your own software yourself;) then, according to the law, you will actually have nothing to show. Although attempts are possible on their part, but basically it is just intimidation.
If you decide to do this, then you better improve your legal literacy or find a person who is well versed in these issues.

Maybe it's not a bug but a feature?
Yuzay himself, especially to monitize in public is almost unrealistically
interesting vulnerability, is it connected with udp?