Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Threat Management, Malware, Ransomware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Android ‘O’ will reportedly fix dangerous permissions flaw exposing users to attacks

A flaw in Google Android's security mechanisms exposes users to ransomware, banking malware and adware attacks, but Google is addressing the issue in its upcoming "Android O" version of the OS, Check Point Software Technologies reported in a blog post on Tuesday.

The vulnerability pertains to an app permission called SYSTEM_ALERT_WINDOW, which according to Check Point, allows an app to display content over any other app without notifying the user – a capability that could otherwise be exploited to perpetrate ad fraud, phishing scams, clickjacking schemes and malicious overlay techniques used by banking trojans. "It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices," the blog post explains.

Starting with Android Marshmallow (version 6), Google created a new permissions process that required users to manually approve the SYSTEM_ALERT_WINDOW permission in order to prevent abuse of the above capabilities. But this safeguard was also apparently stifling the functionality of legitimate apps such as Facebook when users failed to apply the permission. Therefore, Google introduced a patch in version 6.0.1 that essentially grants this dangerous permission automatically to any app that is downloaded directly from the company's official Google Play store.

However, this presents a significant security issue, as cybercriminals continue to find clever new ways of bypassing Google's protections and sneaking their malicious apps into the Google Play store.

According to Check Point, 74 percent of ransomware, 57 percent of adware, and 14 percent of banker malware find a way to abuse the SYSTEM_ALERT_WINDOW permission in one fashion or another as part of their operations.

Check Point further reported that Google will address the flaw in its next major version of Android by creating a new restrictive permission called TYPE_APPLICATION_OVERLAY, which will "[block] windows from being positioned above any critical system windows, allowing users to access settings and block an app from displaying alert windows." SC Media has contacted Google for confirmation of this report.

23

Facebook, Evernote, Pocket - all apps get this permission on Android 6.0 automatically, even though they are targeting 23 (targetSdkVersion=23).

There has been a lot of documentation regarding the new Marshmallow permission model. One of them is SYSTEM_ALERT_WINDOW been 'promoted' to 'above dangerous' permission class thus requiring a special user intervention in order for apps to be granted with those

23

Facebook, Evernote, Pocket - all apps get this permission on Android 6.0 automatically, even though they are targeting 23 (targetSdkVersion=23).

There has been a lot of documentation regarding the new Marshmallow permission model. One of them is SYSTEM_ALERT_WINDOW been 'promoted' to 'above dangerous' permission class thus requiring a special user intervention in order for apps to be granted with those

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.