2 factor auth is not a defence against phishing. This is such a common misconception. All two-factor means is that someone with only your password cannot log in, or only your device.
What's happening here is that Google accounts without 2-factor but with a phone recovery path set up are being "account recovered" by a bad guy. It's just plain old phishing.
I don't think there were ever 2 steps in this account recovery flow. There seems to be only 1 step when initiating a account recovery: provide the code sent to your phone.
A 2 factor recovery flow would be 1) verify an email that was sent to your recovery email address that triggers 2) this account recovery code sent to your phone.
It does not reduce the two factors down to one. You still need two factors (password and SMS code) to login. It's just that you're giving both of them to the attacker.
What's happening here is that Google accounts without 2-factor but with a phone recovery path set up are being "account recovered" by a bad guy. It's just plain old phishing.