The malicious apps introduce the main payload via an update request and then ask for Device Admin and Accessibility Services permissions, which let it to perform fraudulent activities.

So to get compromised, you have to give an untrusted app full control of your computer? For a moment, I thought another actual permissionless vulnerability might have been discovered, but it seems not.