Are you using the web site only, android application only or a combination of the two?
Both, the transaction in question happened after some usage of the Android app.
This line of thinking might be worth some checking. The keylogger/thief/bad mojo may be on your phone.
I don't think it is the ap but I have to ask, where did you get the ap?
Assuming it is not the ap itself can you check your phone for malware?
I still have to wonder, what the hell is up with the change? Why is there change? Where did it go? Strange. It is still sitting there. I guess you can monitor that address for movement.