The process utilizes mismatched permissions allowing the hacker to penetrate a phone’s operating system in plain sight. It abuses the system_alert_window and bind_accessibility_service permissions which allow the hacker to capture passwords, PINs, 2FA codes, unlock phone screens, and ultimately obtain all other permissions.