Interestingly, both of these permissions were regarded as "normal" by Google - this means that they are automatically given to apps and users are not required to specifically grant these permissions. In addition, they were not notified that these permissions had been given, which allowed wrongdoers to benefit from this flaw. The malicious app changed a certain icon in order to attract users' attention and make them tap it, which led them into phishing websites that collected their sensitive information.
FireEye discovered this security hole and the app that takes advantage of it back in October 2013. In February, Google revealed that it had prepared a hotfix and just recently rolled it out to its partners.
source: Computer World via SlashGear