Major Google Play Store security flaw won’t get fixed until Android O arrives

Major Google Play Store security flaw won’t get fixed until Android O arrives

Over 4,000 Android apps contain SonicSpy spyware that steals device information

Google has removed a crucial user permission requirement for apps in Android OS, allowing malicious apps to spam users with ransomware, adware and banking malware.

Google won't bring in a fix for this security risk until later this year when the company will introduce Android O.

Until recently, Android users could grant permissions to individual apps thanks to a new SYSTEM_ALERT_WINDOW feature which Google introduced with Android 6.0 Marshmallow OS. The feature enabled users to grant permissions only during runtime to prevent such apps from gaining dangerous permissions automatically, such as displaying themselves over any other app without notifying users.

Masquerading mobile malware FalseGuide infects 2 million Android devices

According to security firm Check Point, this feature required users to go through several menus to grant permissions to individual apps, and this caused problems to popular apps like Facebook Messenger who couldn't display chat notifications over other apps. Considering their predicament, Google decided to do away with the feature with Android 6.0.1 Marshmallow update.

"This entails a significant potential for several malicious techniques, such as displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans. It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices," noted Check Point researchers.

Just 50% Android smartphones received a security patch in 2016

"According to our findings, 74% of ransomware, 57% of adware, and 14% of banker malware abuse this permission as part of their operation. This is clearly not a minor threat, but an actual tactic used in the wild," they added.

If you are using an Android phone running Android 6.0 Marshmallow OS or later, you can no longer withhold permissions to apps from displaying themselves on top of other apps. For malicious apps, this is a major boost. A malicious app can now display a permanent notification on your display screen and you won't be able to get rid of it until you pay a ransom.

When Check Point contacted Google, they were told that Google will bring in a fix for the said vulnerability with Android O, the successor to Android 7.0 Nougat which is expected to launch later this summer. This means that Android phone users will have to contend with the security flaw for at least another month or two.

Samsung S8 to get McAfee protection as reports suggest Android apps ripe for hacking

With Android O, Google will introduce a new permission called TYPE_APPLICATION_OVERLAY which will 'block windows from being positioned above any critical system windows, allowing users to access settings and block an app from displaying alert windows.' Until then, Google's Bouncer will continue to screen new Play Store apps for malware, but considering how a number of malware, adware and ransomware have made their way to users in the recent past, Bouncer is far from perfect.

Check Point suggests that users must avoid downloading fishy apps from Play Store by reading existing comments on the Play Store and must also protect their phones by installing the latest anti-malware security solutions.

Copyright Lyonsdown Limited 2021

Top Articles

WhatsApp's New Privacy Policy Deadline Has Arrived

At the start of 2021, WhatsApp announced its privacy policy updates, sparking outrage and backlash from its consumers as WhatsApp will share personal information with its parent company, Facebook.

Overcoming the security challenge in remote working environments

The pandemic has changed the way we work. Remote working is no longer a nice-to-have for organisations, but a necessity especially if they want to attract the best talent.

President Biden pens Executive Order to boost US cybersecurity

US President Joe Biden signed an Executive Order this week to boost the cyber security of federal government systems and data.

Related Articles