Firefox OS is different - Every app in Firefox OS including the Camera and the Dialer is a web app, i.e. a website in the form of an app. Simple! Mozilla has developed Web APIs so that HTML5 apps can communicate with the device’s hardware and Shantanu has used the same APIs intentionally to exploit the device for malicious purpose.
Hosted apps are just a website is the application, means you can host the app on a publicly accessible Web server, just like any other website.
Update : A Mozilla spokesperson provided the following statement: "We are aware of plans to demonstrate a malware app able to perform malicious tasks on the Firefox OS phone. Such attacks usually rely on developer mode functionality, which is common to most Smartphones but disabled by default. In addition, we believe this demonstration requires the phone to be physically connected to a computer controlled by the attacker, and unlocked by the user."