However, the highlight of this new attack is that the hacker has got the access to the smartphone even when it's locked. As you can in the video, there's an attack called 'clickjacking,' which unknowingly takes the user's action on the screen, but he won't be aware of what he is doing.
"These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified. Our user study indicates that these attacks are practical. These attacks affect all recent versions of Android (including the latest version, Android 7.1.2), and they are yet to be fixed," said by the attacker.
A Google Spokesperson in reply to the latest vulnerability said : We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues, moving forward."