The Android's permission management architecture suffers from a vulnerability that allows an attacker to access the system via a remote shell. In this video ... explains how a "no-permission application" - which doesn't ask any sensitive operation permission to work - can be exploited.
from the original post:
"It is not a zero-day exploit or a root exploit. We are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel."
I think that the issue is a matter of the "Least Privilege" principle!