And using loads of sensitive permissions to pull it off, like accessibility to read the screen. It’s not stealing the auth cookies from the app nor throwing exploits at Android to escape the sandbox.
Headline definitely makes it sound like it’s a drive-by exploit, but no it’s just the usual social engineering everyone is familiar with.