Ok thats a little more enlightening. It seems my initial guess was mostly correct. The bypassed "security" features means bypassing epics installer verification and not any android security features and the comments on the android permissions point to api version 22.
Api version 23 added a new permissions model where instead of an app asking at install time what permissions are needed, a modal would show when the permission was used.
So there is nothing particularly horrible going on. Androids security and permission model was never broken. The user would see a modal at install time with all the permissions requested so there is no bypass of this.
In the end the data and integrity of your other apps is still protected and the worst case is you installed a malware app which can read your photos and capture your input while using the app. But since you required a malware app already installed to pull this off then this is a double low risk issue. Its good that it was reported and fixed but it says nothing about the security of Android.
https://issuetracker.google.com/issues/112630336