It's likely to affect a very large number of apps, some of the preloaded Google apps are included such as Google Translate and Google Voice Typing. BleepingComputer has a much more technical article describing the dubbed Man-in-the-Disk attack.
A malicious app can manipulate other app's data by injecting malformed data, which can potentially crash the app. The crash then allows the malicious app to gain the permissions of the crashed app, so if the crashed app had a lot more permissions, the malicious one now gained all of those permissions. Additionally it's able to intercept app updates just as they are about to be installed replacing other apps with malicious versions. Following the Android security guidelines for development properly stops this attack but not all developers do, hence the news.
EDIT: Just realized this is different news, got em confused since I read both today. Too lazy to write a thread for the other one tho
Google Translate and Google Voice Typing are affected.
EDIT: Hmmm, just realized this is probably the other news I saw, woops.