Since the other reply was unhelpful: apps are supposed to have limited privileges and isolation from each other, yes… But the whole point of malware like this is that they figure out ways to break those restrictions and get escalated privileged.
You can get more technical detail from reading the report, in this case it looks like the app does not contain malware, but instead requests an update after install that contains the bad code and then breaks the app limitations and scans for the target banking applications and copies the security certificates.
For those not keeping up: this is the fallout from Erdogan ignoring economics and keeping interest rates low for years; only in the past year or so having conceding to reality and finally letting rates rise. They’ll likely continue suffering fallout from his prior stance on interest rates for the remainder of the decade.
From last summer:
https://www.cnn.com/2023/06/22/economy/turkey-hikes-interest-rates/index.html
and
https://www.cnbc.com/2023/06/14/turkeys-erdogan-agrees-to-monetary-policy-turnaround-under-simsek.html