The study is available here[0]. The gist is that an app can launder a request it isn't privileged to make through another app that is privileged and doesn't correctly check the intent sender. There are examples in Section 4.3.<p>[0] : <a href="http://people.cs.vt.edu/danfeng/papers/AsiaCCS-17-Yao.pdf" rel="nofollow">http://people.cs.vt.edu/danfeng/papers/AsiaCCS-17-Yao.pdf</a>
I only use Nexus and Pixel devices lately, so I'm not sure if this is available on all devices, but for apps that I have any worries about (e.g. 100% of games) I have a second user, on an empty gmail account created purely for that purpose, that I switch over to. It takes less than three seconds to switch accounts, I game and get the diversion, and then switch back. The downside is that I don't get notifications, and some privileged info is still available to the apps (although I block the ability to make calls or send texts to the other number, etc), but it does greatly reduce the surface area of the exposure.
For anyone looking for the dataset:<p><a href="https://amiangshu.com/dialdroid/" rel="nofollow">https://amiangshu.com/dialdroid/</a>