But how does this "attack" work? Our Smartphone has no data plan, just talk...
You, someone else, or an Android app need to manually or automatically install an app or game which is infected with the
Cloak and Dagger full device takeover vulnerability installed on it according to the full article. You don't even need to be online. Someone can use an .apk installer file to install the Android app if you set your phone to allow installing .apk files which you downloaded outside of Google Play like the Amazon App store, 1Mobile, Getjar, or file sharing websites like Dropbox and 4Share.
As with most, it can be avoided by being smart. Only download apps from the play store and try to stay away from unknown games. Just download the main ones from large well known companies.
There is always a chance that the App maker's Google app publishing account gets hacked, and a hacker uploads the same app with the Cloak and Dagger vulnerability installed on the newly updated hacked app.
Big companies sometimes have bad employees, or the company becomes bad, and choose to break the law, and use this security vulnerability to steal data, and stalk Android users.
Big App companies can also be working with the government to spy on Android users by using cloak and dagger in their app, or risk getting arrested if they refuse to work with the government to spy on users.
Countries like Syria, and North Korea most likely use cell phone apps and computer programs to spy on people's cell phone, and copy all their private data. Some governments in North America, Europe, and Asia are becoming more restrictive, and are using law enforcement like the police and the internet, computer operating systems, cell phones, and Smart TVs to spy on people's data and privacy. Governments can secretly infect Cloak and Dagger into apps made by big companies, or force big companies to infect their own apps with Cloak and Dagger.