[jeroenhd]

I think it used to be back in the day, but many normal apps use tons of permissions so people skipped over them. Google revamped their UI to only show a select bunch of them at some point. Perhaps in this step they managed to mess up and miss a bunch of permissions that these apps use.

You can't get a permission that's not in your app manifest without root access.

Seeing as the app appears to install apps silently, it probably manages to exploit devices with outdated security to elevate its system permissions. Altering the installed binary and system permission table are probably the easiest way to use the standard Android API to install software in the background, because doing so programmatically is a pain.