Researchers have uncovered a new Android vulnerability that allows malicious apps to reconstruct on-screen content, such as recovery phrases and two-factor authentication codes.