This seems to be a direct violation of Google Play policy:
"Do not send SMS, email, or other messages on behalf of the user without providing the user with the ability to confirm content and intended recipient."
Not quite. The messages aren't being sent from the device, they're being sent by Path from their own infrastructure once they've uploaded the address-book.
An app generally needs a backend and it is clear some of the policies are directed towards not the app itself but how it interacts with the backend. These same guidelines are meant to be used to stop apps such as malware games that collect contacts and send them to the backend to be used as spam email lists.
"Do not send SMS, email, or other messages on behalf of the user without providing the user with the ability to confirm content and intended recipient."
https://play.google.com/about/developer-content-policy.html