One of the new features is to show iCal meeting invites right in the app, and to reply to them, optionally saving to the device's calendar (for sync and reminders).
This requires the permissions to read and write calendar info. It's not used to spy on the user in any way.
Now, you might say, "I don't have any use for this feature, why do I have to grant those permissions"?
Android's permission system at this time is quite rigid: 1) permissions are granted up front, at install time 2) there is no such thing as an optional permission (i.e. the user didn't grant calendar access -- disable the feature at runtime).
This might change with Android 4.4, but at this time, I had to take a deep breath and add those.
And finally, if my goal was to write malware, I'd pick something more simple for the disguise -- an "Asian Girls Naked Live Wallpaper" or something... A mail app is just waaay too much work for this.