From the paper, my reading is that it's meant to highlight a larger weakness in Threema's design (the decision to rely heavily on a long-lived private key, which then needs to be exported with a potentially attacker-controllable password in order to transfer identity).
Edit: notably, this wouldn't be a problem if (1) Threema required a preconfigured password to encrypt the private key with, or (2) used an identity transfer scheme that was detectable on the target device. But since they're just copying a key, it's entirely undetectable.
Edit: notably, this wouldn't be a problem if (1) Threema required a preconfigured password to encrypt the private key with, or (2) used an identity transfer scheme that was detectable on the target device. But since they're just copying a key, it's entirely undetectable.