The biggest part of this story is that it is now easier to make a trojanized version of a legit app. But it has been possible from day one.
Android apps are written in Java, and Java bytecodes can be decompiled into something remarkably similar to the original source code. Then the source code can be edited and complied back to an app. Hey presto, you have a hacked up version of the app.
But -- and this is important -- the person using this attack has no way to sign the malware with the same signing key as the upstream source of the original, legit app. This means that it is much harder to trick someone into running the malware.
So, if you get an app from the Google Play store, and later someone tries to overwrite your app with a new build that is malware-infected, Android will refuse to install the new app, because the signing key isn't identical.
So, if a user gets an email with an attached "free" version of an app that normally costs money, and that user has not previously installed the legit version of the app, and that user sideloads the malware version, then that user will have malware on his/her Android device.
So, as usual, it's easy to protect yourself: get apps from the Google Play store, and don't sideload apps unless you are certain they are clean.
For that matter, if you are browsing the Google Play store and you see an app that has only been up for a day, and claims to be a miraculously free version of a payware app... just say no.