The developers of the mobile banking trojan Gugi have introduced modifications to sidestep two key security features of Android 6, Kaspersky Lab researcher Roman Unuchek has reported in the Securelist blog.

Gugi's “ultimate goal is to overlay banking apps with phishing windows in order to steal user credentials...” wrote Unuchek. However, unlike past iterations, Android 6 requires users to approve app overlays rather than automatically executing them, and also dynamically requires user permission before engaging in potentially dangerous in-app activities, such as SMS messaging or calls.

Gugi primarily infects Russia-based device owners via SMS spam that claims the user has received an MMS photo, the blog post continues. When users attempt to view the photo, the new Gugi variant – first discovered in June 2016 – asks for the right to draw over other apps. However, users do not appear to have a choice other than to agree. Once Android's overlay permissions feature is defeated, Gugi next blocks users from accessing their phones' features until they grant additional permissions to perform various dangerous acts that Android 6's dynamic permissions feature was designed to prevent.