This friend Binance have no fund and i think no need to change password this time because he are not using for trading purpose.
As long as the hackers have the password, when deposit happen, they will initiate a withdrawal quickly, so changing the password and adding several layers of security will be a good solution.
Was the primary email coming, I mean from Binance? In any case, do not download any application outside the store and make sure that it is the real application, while making sure that there is no active scam, whether by asking here or via Reddit.
It is also safer to use two-factor verification from another device that has not and will not be connected to the Internet.