No, this is nothing new. The user is in fact manually downloading the app and accepting the permissions. The app then maliciously connects to a server and runs commands without the user knowing. However we already knew that this was possible in Android. It's not a 'zero day vulnerability' or a 'drive by download' at all. Just another example of why you need to be careful what you download on Android.
My reading of the vulnerability is that you have some app with few permissions, that then triggers installing an app with many permissions. The user is presented with a confirmation dialog for this installation. However, the low-permission app can overlay a window on top of this dialog, showing any content it likes, and this window can be configured to pass touch events through. So the user thinks he is interacting with this overlay window but is in reality confirming the installation of the new app.