A security vulnerability in Android allows attackers to take over your phone and install software without you knowing.
The new class of attacks, known as Cloak & Dagger, allow a malicious app to control the UI feedback loop and take over the device.
The Cloak & Dagger attack can be performed without the user noticing the malicious activity on their device.
The attacks only require two permissions, which the user does not need to explicitly grant and for which they are not notified.
“Our user study indicates that these attacks are practical,” said researchers from the University of California.
The attacks affect all recent versions of Android – including the latest version, Android 7.1.2 – and they are yet to be patched.
The researchers alerted Google to the attacks in August 2016, and continued to update the company on the vulnerability.