Social engineering requires social idiots of which there are plenty.
This one really doesn't require too much social engineering. The crooks somehow got their Trojan loaded into an update for the Transmission app for Torrent downloading and those who use that app for downloading stolen movies and pirated apps, who downloaded the 2.90 update, got the Trojan included with their update. There some irony in the fact that those who are willing to download pirated apps and steal movies and other copyrighted material are the ones who are going to be hit by this malware.
Sounds like this one is “legitimate” malware, insofar as it’s a normal-ish app running with Apple credentials that still manages to seriously abuse users.
Of course the system isn’t perfectly secure, and can be maliciously manipulated.
What’s important: it got caught fast, the signing authority (required for installation) was quickly revoked, and subsequent versions (auto-update?) undo/ward-off most of the damage which still won’t hit for 2+ days.
Of note: Apple is increasing pressure to “sandbox” apps so they can’t do such damaging things _at_all_. There’s no reason why a Torrent app should have access to any files other than what the user explicitly authorizes.