The exploit works by highjacking a legitimate app as it’s launched on almost any Android phone. Instead of going to the welcome screen or login page, the exploit allows a piece of malware to display so-called permissions pop-ups, the kind that asks if the app can access your contacts, location, and stored data. When you approve the request, the malware is given all of the permissions instead of the legitimate app, which continues to run as if nothing happened.