Security researchers have discovered a serious vulnerability affecting the two newest versions of Android. While Google is aware of the issue, it won't be fixed until the release of Android O - the upcoming version of Google's mobile operating system.
Researchers at Check Point have revealed that Android's permission model has a bug that makes it a magnet for ransomware and banking malware. "According to our findings, 74 percent of ransomware, 57 percent of adware, and 14 percent of banker malware abuse this permission as part of their operation," the security research team wrote. "This is clearly not a minor threat, but an actual tactic used in the wild."
Android security flaw used by 74% of ransomware
The issue comes from a permission window that was added in Android 6.0 Marshmallow, which has become the most-used version of Android. Google introduced a new permission model for apps in Marshmallow, one of which includes a permissions category containing SYSTEM_ALERT_WINDOW. This permission allows an app to create overlay windows over all other apps.
Considering its potential for abuse, Google was supposed to (and did) require user approval manually before this permission was granted through Settings. "Unlike the other permissions, to grant it, the user must go through several menus (Settings -> Apps -> Draw over other apps) and manually allow an app to use it," Check Point noted. The process made it difficult for legitimate apps like Facebook Messenger to get user permission that required this permission for features like chat heads.
Due to this difficulty level of manually asking users for permissions, starting from version 6.0.1, Google introduced a change to the process for granting permission to SYSTEM_ALERT_WINDOW, bypassing user permission from Settings as long as an app was installed from the Play Store. This change in permission left Android users open to "displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans."
While Google Play Store is the safest place to get Android apps, there are always exceptions when apps manage to bypass the security checks. The security firm added that "nearly 45 percent of the applications using the SYSTEM_ALERT_WINDOW permission are apps from Google Play".
Check Point said that when the team reached out to Google, it was told that the search giant was already dealing with the flaw and planning to bring a fix in the upcoming version of Android. It is unclear what are Google's plans for securing Android Marshmallow and Nougat users even if it does roll out patches with Android O. We have reached out to the Android maker and will be updating this story with any official statement from Google.