The two newest versions of Android are vulnerable to a permissions feature being exploited by ransomware and banking malware.
Security firm Check Point has examined Android’s permission model and discovered it contains an odd bug that has become a favorite tool for ransomware, adware, and banking trojans to hijack victims’ screens with phishing pages and extortion demands.
This problem stems from an extremely sensitive permission in Android 6.0 Marshmallow, the most widely used version of Android, called SYSTEM_ALERT_WINDOW. The permission allows an app to create windows that overlay all other apps.
“According to our findings, 74 percent of ransomware, 57 percent of adware, and 14 percent of banker malware abuse this permission as part of their operation. This is clearly not a minor threat, but an actual tactic used in the wild,” Check Point’s mobile research team notes.
Given its potential for abuse, Google initially required the user to approve this permission manually through the Settings screen, which was a harder process than permissions for apps to access “normal” resources, such as Wi-Fi state, and “dangerous” resources, such as the camera, microphone, or contacts.
However, in Android 6.0.1, Google made an exception to the process for granting permission to SYSTEM_ALERT_WINDOW, so long as the app was installed from the Play Store.
It did this because the manual process was causing troubles for legitimate apps, like Facebook Messenger, which relied on the feature to support its floating chat heads, according to Check Point.
“As a temporary solution, Google applied a patch in Android version 6.0.1 that allows the Play Store app to grant run-time permissions, which are later used to grant SYSTEM_ALERT_WINDOW permission to apps installed from the app store. This means that a malicious app downloaded directly from the app store will be automatically granted this dangerous permission,” the firm notes.
Google Play is by far the safest place to install Android apps. However, if the use of this permission is as widespread as Check Point says, the exception may have exposed Google Play users to greater risk. Whether it was a wise choice depends heavily on Google’s ability to prevent malware from reaching its app store.
The security firm notes that “nearly 45 percent of the applications using the SYSTEM_ALERT_WINDOW permission are apps from Google Play”.
Not all those apps are necessarily malicious, but the Google Play malware checker, known as Bouncer, doesn’t have a perfect record for detecting malware.
Google recently removed several Android apps carrying the BankBot malware targeting European and Australian banking customers, which displayed overlays identical to each targeted bank app’s login pages.
Check Point has also raised the alarm over several examples of adware hiding inside seemingly legitimate apps on Google Play.
According to Check Point, Google will address this issue in Android O, which is currently in developer preview and is scheduled for release in the third quarter this year. The fix will be in the form of a new restrictive permission called TYPE_APPLICATION_OVERLAY.
The permission “blocks windows from being positioned above any critical system windows, allowing users to access settings and block an app from displaying alert windows”, according to Check Point.