http://wccftech.com/android-vulnerable-toast-except-oreo/

Security researchers have warned that all versions of Android except for the very latest Oreo are vulnerable to an overlay attack. A security flaw in Android can surreptitiously grant an app the permission to draw bogus screens, tricking users into clicking on them. These apps essentially try to reach outside the sandbox, hiding what actually is happening with fake screens and text.

“They [malicious apps] can make it look like you’re touching one thing when you’re touching another,” Palo Alto researcher Ryan Olson said. “All they have to do is put an overlay a button over ‘activate this app to be a device admin’ and they’ve tricked you into giving them control of your device.”