Re: Shame Kaspersky
It's a shame you didn't click on the blog link in Reg article which Kaspersky Lab answered almost all your questions.
Like perhaps how this is distributed
It is currently known to be from a list of websites, so it is distributed by website through installing the app itself.
how many defences you have to disable to get it
Since it is inflected by installing the app itself, at most one defense you have to disable to install it, which would be 'allow 3rd party app install'. At minimum zero defense you have to disable to get it if it's on the play store and you installed it.
How many permissions you have to grant it.
None since it won't ask you for them if it roots your phone. If it does ask you, it'll ask at least microphone, camera, location and maybe contacts (from one image, the log shows it stealing facebook data and contacts but doesn't state if that will trigger the contact permission).