Apparently it is possible to use statistical analysis of the size of the surfaceflinger off-screen buffer to predict with 90% accuracy what another app is doing. All an attacker needs is an application that runs in the background, and does not require any special permissions. Once it determines that a user is entering his password, for example, it can bring to the foreground an identical looking password dialog and capture the login data. Since the user expects this behavior, they may never notice.
So far all I could find is the actual paper:
And some videos of a proof of concept have been posted:
The question is: has this been seen in the wild? Seems like a very serious threat without an obvious fix...