Big time Android flaw won't be fixed until next build is released
It all revolves around a permissions category that contains one permission, SYSTEM_ALERT_WINDOW. Originally added with Android Marshmallow, this permission was supposed to be manually agreed to by the phone's user. To prevent them from having to grant permission to add functionality to apps already installed, in Android 6.0.1 Google allowed SYSTEM_ALERT_WINDOW to be enabled by default with any app coming from the Google Play Store. However, this left Android handsets open to "displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans," according to Check Point. The latter says that 74% of ransomware, 57% of adware, and 14% of banker malware uses this flaw to inflict real time harm.
This is not an opening that can be theoretically abused. According to Check Point, these things are happening, now. And while Android O will prevent this by using a new restrictive permission called TYPE_APPLICATION_OVERLAY. To protect Android users until the next build of Android is disseminated, Check Point gives simple, but solid advice. "Beware of fishy apps," it says, even those in the Google Play Store. They also advise those installing apps to read comments written by others, and watch for permissions that are not relevant to the workings of the app being installed.
source: CheckPoint via BGR