The key takeaway: never give an app accessibility permissions when it asks unless you are specifically installing an accessibility app. It could never have done anything without that permission.
The McAfee article (found elsewhere in these comments) said the bad apps obtained accessibility permissions through “social engineering” which probably means it simply asked for them after telling you to ignore the serious warnings Android gives you when an app asks for them.