The article is pretty clear that the issue is with the Android devices themselves, not with lazy users. There is no indication that a malicious app has these permissions.
Comment on Hackers can steal 2FA codes and private messages from Android phones
justOnePersistentKbinPlease@fedia.io 2 days ago
Yeah, so if you install an app that gives them full permissions, they can see what you're doing on your phone.
shocking
XLE@piefed.social 2 days ago
BrikoX@lemmy.zip 2 days ago
Expect attack “requires no permissions” for the app to work.