Check Point reports that 74% of ransomware, 57% of adware, and 14% of banker malware abuse the SYSTEM_ALERT_WINDOW permission found on Android mobile devices.
Check Point reports that 74% of ransomware, 57% of adware, and 14% of banker malware abuse the SYSTEM_ALERT_WINDOW permission found on Android mobile devices.

A flaw in Google Android's security mechanisms exposes users to ransomware, banking malware and adware attacks, but Google is addressing the issue in its upcoming "Android O" version of the OS, Check Point Software Technologies reported in a blog post on Tuesday.

The vulnerability pertains to an app permission called SYSTEM_ALERT_WINDOW, which according to Check Point, allows an app to display content over any other app without notifying the user – a capability that could otherwise be exploited to perpetrate ad fraud, phishing scams, clickjacking schemes and malicious overlay techniques used by banking trojans. "It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices," the blog post explains.

Starting with Android Marshmallow (version 6), Google created a new permissions process that required users to manually approve the SYSTEM_ALERT_WINDOW permission in order to prevent abuse of the above capabilities. But this safeguard was also apparently stifling the functionality of legitimate apps such as Facebook when users failed to apply the permission. Therefore, Google introduced a patch in version 6.0.1 that essentially grants this dangerous permission automatically to any app that is downloaded directly from the company's official Google Play store.

However, this presents a significant security issue, as cybercriminals continue to find clever new ways of bypassing Google's protections and sneaking their malicious apps into the Google Play store.

According to Check Point, 74 percent of ransomware, 57 percent of adware, and 14 percent of banker malware find a way to abuse the SYSTEM_ALERT_WINDOW permission in one fashion or another as part of their operations.

Check Point further reported that Google will address the flaw in its next major version of Android by creating a new restrictive permission called TYPE_APPLICATION_OVERLAY, which will "[block] windows from being positioned above any critical system windows, allowing users to access settings and block an app from displaying alert windows." SC Media has contacted Google for confirmation of this report.

23

Facebook, Evernote, Pocket - all apps get this permission on Android 6.0 automatically, even though they are targeting 23 (targetSdkVersion=23).

There has been a lot of documentation regarding the new Marshmallow permission model. One of them is SYSTEM_ALERT_WINDOW been 'promoted' to 'above dangerous' permission class thus requiring a special user intervention in order for apps to be granted with those

23

Facebook, Evernote, Pocket - all apps get this permission on Android 6.0 automatically, even though they are targeting 23 (targetSdkVersion=23).

There has been a lot of documentation regarding the new Marshmallow permission model. One of them is SYSTEM_ALERT_WINDOW been 'promoted' to 'above dangerous' permission class thus requiring a special user intervention in order for apps to be granted with those