I have read this a few times and its still not clear what the issue was. There are a lot of vague statements like "sneakily replace the real Fortnite app with a fake one after security checks were already complete" What "security check" is this talking about.
My best guess is this,
Epic app installer downloads an apk to the disk, malware app already installed swaps the apk with its own while its on disk, epic installer uses android system prompt to install the swapped apk.
From what I can see, this doesn't give any extra permissions that a normal sideloaded app would not have access to. The worst I can see is that the swapped apk grabs your payment details you enter in the app which was always possible as I pointed out.
Ok thats a little more enlightening. It seems my initial guess was mostly correct. The bypassed "security" features means bypassing epics installer verification and not any android security features and the comments on the android permissions point to api version 22.
Api version 23 added a new permissions model where instead of an app asking at install time what permissions are needed, a modal would show when the permission was used.
So there is nothing particularly horrible going on. Androids security and permission model was never broken. The user would see a modal at install time with all the permissions requested so there is no bypass of this.
In the end the data and integrity of your other apps is still protected and the worst case is you installed a malware app which can read your photos and capture your input while using the app. But since you required a malware app already installed to pull this off then this is a double low risk issue. Its good that it was reported and fixed but it says nothing about the security of Android.
My best guess is this,
Epic app installer downloads an apk to the disk, malware app already installed swaps the apk with its own while its on disk, epic installer uses android system prompt to install the swapped apk.
From what I can see, this doesn't give any extra permissions that a normal sideloaded app would not have access to. The worst I can see is that the swapped apk grabs your payment details you enter in the app which was always possible as I pointed out.