Android users will soon see real-time alerts when an installed app tries to read, forward, or silently dispose of their text messages, or when an app draws a hidden overlay on top of their screen. Google has confirmed that the operating system will surface these warnings both during installation and at runtime, targeting two attack techniques that security researchers have flagged for years. The change addresses a gap that has allowed malicious apps to steal one-time passwords, intercept two-factor authentication codes, and trick users into entering credentials on fake interfaces layered over legitimate apps.
How SMS interception and screen overlays put Android users at risk
The two behaviors Android is now flagging are not theoretical. The National Institute of Standards and Technology has catalogued both in its Mobile Threat Catalogue, a federal reference used by security teams across government and industry. NIST’s entry on SMS interception describes how a malicious app with broad messaging permissions can silently read incoming texts, copy one-time passwords used for two-factor authentication, and forward those codes to an attacker’s server before the user ever sees them. The same app can delete the original message, leaving no trace on the device.
The second threat works differently but can be just as damaging. NIST’s catalogue entry on accessibility overlays explains how apps that gain Accessibility Services permissions can draw false graphical interfaces on top of real screens. A user who believes they are tapping a legitimate login form may actually be entering their username and password into a transparent layer controlled by a hostile app. The technique exploits a feature originally designed to help users with disabilities interact with their phones.
Both attack vectors share a common trait: once the user grants the initial permission, the app operates without further prompts. That silence is what makes the new runtime warnings significant. Instead of relying on a single gate at install time, Android will now re-alert users when an app actively exercises these permissions, giving phone owners a second chance to revoke access before data leaves the device.
Testing whether runtime warnings change user behavior
The core question is whether surfacing alerts at the moment of use will actually change what people do. A reasonable hypothesis is that runtime warnings will measurably reduce the share of newly installed apps that retain SMS or accessibility permissions beyond the first week after install. The logic is straightforward: a user who sees a pop-up saying that an app just read a text message is more likely to open settings and revoke that permission than a user who approved a generic request days earlier and forgot about it.
Android’s existing permission model already asks users to approve sensitive access during installation or first use. But research into permission fatigue suggests that many people tap “Allow” reflexively, especially when the request appears alongside dozens of other setup steps. A warning that fires later, tied to a specific action the app just took, carries more informational weight. It connects the abstract concept of “SMS access” to a concrete event the user can evaluate in real time.
No public user-study results yet measure how often people approve overlay or SMS permissions without understanding the risks, or how runtime warnings affect revocation rates. That data gap means the hypothesis remains untested at scale. Google has not released metrics on how many Play Store apps currently request these permissions or how those requests break down by app category. Without baseline numbers, any projected reduction in retained permissions is speculative. The real test will come in the months after the feature rolls out, when researchers can compare permission-retention rates before and after the change.
What NIST’s threat catalogue reveals about the attack surface
The federal documentation behind these threats gives the Android changes a concrete technical foundation. NIST’s Mobile Threat Catalogue is not a set of recommendations or best practices. It is a structured taxonomy of known attack techniques, each assigned an identifier and described with enough detail for security engineers to build defenses against it.
The SMS interception entry, catalogued as APP-17, lays out a scenario in which an app registers as a default messaging handler or uses a background service to monitor incoming messages. The app can act on those messages without displaying any notification. For users who rely on SMS-based two-factor authentication for banking, email, or social media accounts, this means a compromised app can bypass that second layer of security entirely. The attacker receives the code, uses it before the legitimate user does, and the account is breached.
The overlay attack entry, catalogued as APP-37, describes a technique that abuses Accessibility Services to display false graphical interfaces. The attacker’s overlay can mimic the appearance of a trusted app, capturing taps and keystrokes. Because the overlay sits on top of the real interface, the user has no visual indication that anything is wrong. NIST identifies this as a distinct threat vector because it does not require the attacker to modify the legitimate app. The malicious overlay runs as a separate process, making it harder for traditional antivirus tools to detect.
Together, these two catalogue entries describe a phone that can be turned against its owner. One technique steals what the user receives. The other steals what the user types. Android’s new warnings target both channels simultaneously.
Design challenges behind meaningful warnings
Turning these insights into effective protections is not just a matter of adding more pop-ups. Designers must balance clarity against overload. If alerts trigger too frequently-say, every time a legitimate messaging app reads an incoming code the user expects-people may begin to dismiss them without thinking. If alerts are too rare or too vague, they fail to prompt action when it matters.
One design challenge is phrasing. A message that simply states that an app accessed SMS may not convey urgency, while language that implies imminent compromise could cause unnecessary panic. Another challenge is timing. A warning that appears while the user is in the middle of a critical task, such as paying a bill or authenticating into a work system, could be dismissed just to clear the screen. Android’s implementation will need to surface alerts in a way that is noticeable but minimally disruptive, and ideally paired with a one-tap path to review or revoke the underlying permission.
There is also the question of how much context to show. Naming the app, the type of data accessed, and the permission involved helps users make an informed decision. Yet exposing too much technical detail risks confusing non-specialists. The most effective designs will likely use plain language summaries with an option to drill into more granular logs for those who want them.
Open questions and what Android users should watch for next
Several gaps remain in the public record around this rollout. Google has not specified which Android version will first carry the runtime warnings, or whether the feature will be delivered through a full operating system update, a Google Play Services component, or another mechanism. That distinction matters because it determines how quickly older devices will see the protections and whether phone makers and carriers can delay or modify the change.
It is also unclear how much control users and developers will have over the new behavior. Google has not said whether there will be settings to adjust the sensitivity of alerts, whitelist trusted apps, or suppress warnings in specific circumstances such as using a banking app that legitimately reads verification codes. Similarly, developers do not yet know whether they will be required to update their permission declarations or user education flows to account for the new prompts.
In the absence of those details, Android users can still take several practical steps. Reviewing the list of apps that currently have SMS or Accessibility Services access is a straightforward starting point. Removing permissions from apps that do not clearly need them reduces exposure even before the new warnings arrive. Being cautious about sideloading apps from outside official stores, and scrutinizing any app that requests broad messaging or accessibility access, further narrows the attack surface described in the NIST catalogue.
Once the runtime alerts begin appearing, they will add a new feedback loop between users and their devices. Each warning is an opportunity to reconsider whether an app truly needs the power it has been given. If enough people act on those prompts-uninstalling suspicious software, revoking risky permissions, and reporting abusive behavior-the combination of platform changes and user vigilance could significantly blunt two of the most persistent mobile threats. The effectiveness of Google’s approach will ultimately be measured not just by how many alerts are shown, but by how often they lead to safer choices.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.