An attempt, successful or not, to use any aspect of the App for a nefarious purpose.
We use this term broadly to include traditional, enterprise-centric scenarios, such as described in RFC4949:
An intentional act by which an entity attempts to evade security services and violate the security policy of a system.
But we also include a consumer-centric point of view: based on the information they have, App Users expect Apps to do certain things, and not do others, as well as App Operators to do certain things, and not do others. If there is a substantial difference between App Users' expectations, and actuality, if this difference is intentionally caused, material and potentially negative for the App User, we consider this to be an Attack on the App User.
It is possible that App Creators and App Users disagree on whether something constitutes an Attack; this is particularly possible if App Users are not aware of certain practices of App Creators. Examples abound, for example in product categories such as Spyware.