Major Google Play Store security flaw won’t get fixed until Android O arrives
10 May 2017 |
Google has removed a crucial user permission requirement for apps in Android OS, allowing malicious apps to spam users with ransomware, adware and banking malware.
Google won't bring in a fix for this security risk until later this year when the company will introduce Android O.
Until recently, Android users could grant permissions to individual apps thanks to a new SYSTEM_ALERT_WINDOW feature which Google introduced with Android 6.0 Marshmallow OS. The feature enabled users to grant permissions only during runtime to prevent such apps from gaining dangerous permissions automatically, such as displaying themselves over any other app without notifying users.
According to security firm Check Point, this feature required users to go through several menus to grant permissions to individual apps, and this caused problems to popular apps like Facebook Messenger who couldn't display chat notifications over other apps. Considering their predicament, Google decided to do away with the feature with Android 6.0.1 Marshmallow update.
"This entails a significant potential for several malicious techniques, such as displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans. It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices," noted Check Point researchers.
"According to our findings, 74% of ransomware, 57% of adware, and 14% of banker malware abuse this permission as part of their operation. This is clearly not a minor threat, but an actual tactic used in the wild," they added.
If you are using an Android phone running Android 6.0 Marshmallow OS or later, you can no longer withhold permissions to apps from displaying themselves on top of other apps. For malicious apps, this is a major boost. A malicious app can now display a permanent notification on your display screen and you won't be able to get rid of it until you pay a ransom.
When Check Point contacted Google, they were told that Google will bring in a fix for the said vulnerability with Android O, the successor to Android 7.0 Nougat which is expected to launch later this summer. This means that Android phone users will have to contend with the security flaw for at least another month or two.
With Android O, Google will introduce a new permission called TYPE_APPLICATION_OVERLAY which will 'block windows from being positioned above any critical system windows, allowing users to access settings and block an app from displaying alert windows.' Until then, Google's Bouncer will continue to screen new Play Store apps for malware, but considering how a number of malware, adware and ransomware have made their way to users in the recent past, Bouncer is far from perfect.
Check Point suggests that users must avoid downloading fishy apps from Play Store by reading existing comments on the Play Store and must also protect their phones by installing the latest anti-malware security solutions.
Latest posts by Jay Jay (see all)
- Cyber crime ranks among top three global risks in 2018, says WEF report - 17th January 2018
- Security flaw in adult VR app SinVR exposed personal details of 20,000 users - 17th January 2018
- NCSC’s CyberFirst Girls Competition to help women choose cyber security careers - 17th January 2018
- With DPL looming, businesses in a mad rush to purchase cyber insurance policies - 16th January 2018
- Hacker swindles £290,000 off cryptocurrency firm BlackWallet using malicious code - 16th January 2018