The GDPR Might Well Apply
The GDPR applies when a Data Controller (usually the provider of the service) is located in the EU or when the service is "targeted" at the EU or any part of it by the Data Controller (DC), and any person whose personal information (PI) is processed by the DC. (Note: "Process" includes simply storing the information.)
More specifically GDPR Article 3 paragraph 2 reads:
(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(2) (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(2) (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
GDPR Recital 23 reads:
In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
This means that when a non-EU DC provides goods or services to people in the EU, and also advertises in the EU, uses the language of an EU country that is not the/a language of the country where the DC is located, accepts payments in euros or a currency of an EU country, or other evidence shows an intent by the DC to offer goods or services to people in the EU (or part of it), then the DC may be taken to have intended to offer goods or services to people in the EU, and the GDPR will apply.
In the case described in the question, it is said that:
The app doesn't support EU customers and is geo-blocked by default.
This would be good evidence that the DC is not targeting the EU, and so the GDPR does not apply. Information (PI) about people in the EU who nonetheless manage to use the service would appear not to be covered by the GDPR when the app collects and stores it.
However, if such PI is transferred into the EU, then the person or firm that controls it might be considered a separate DC that is "established in the Union", or if the DC who controls the in-EU storage is clearly the same as the DC who originally did the out-of-EU collection, then that DC might be considered to have acquired an "establishment" in the EU. If so, any processing done by that establishment would be subject to the GDPR.
GDPR Recital reads:
Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.
Thus it would seem that transferring the PI of people located in the EU (or who were so located when the data was collected) into the EU might well subject that PI (and the relevant DC) to the GDPR. If so, a notice to the Data Subjects (people whose information is so processed) might well be required, and the DC would need a lawful basis for processing under GDPR Article 6
I do not find specific EU caselaw on this point.
Note that Under GDPR article 2 paragraph 2:
This Regulation does not apply to the processing of personal data: ...
(b) by a natural person in the course of a purely personal or household activity;
However, it is not at all clear from the question that the data storage and other processing intended would constitute "purely personal or household activity". In fact I rather doubt that it would.
Note that the UK version of the GDPR now has essentially identical provisions with regard to the UK, as the EU version does with regard to the EU.