There are two different layers: The app has to have OS permission to install APKs, and then the app has to have user permission to install each individual APK. Android will prompt you each time. The only apps exempt from this are "system" apps (baked into the root-only partition) which are allowed to install/upgrade software without asking the user. It makes sense from an anti-malware perspective, but then again most malware finds ways around this anyway so you could argue that it serves no purpose and is only user hostile.
Is this true? Did they change the install permission to one time use or something?