Major Google Play Store security flaw won’t get fixed until Android O arrives

Major Google Play Store security flaw won’t get fixed until Android O arrives

Over 4,000 Android apps contain SonicSpy spyware that steals device information

Google has removed a crucial user permission requirement for apps in Android OS, allowing malicious apps to spam users with ransomware, adware and banking malware.

Google won’t bring in a fix for this security risk until later this year when the company will introduce Android O.

Until recently, Android users could grant permissions to individual apps thanks to a new SYSTEM_ALERT_WINDOW feature which Google introduced with Android 6.0 Marshmallow OS. The feature enabled users to grant permissions only during runtime to prevent such apps from gaining dangerous permissions automatically, such as displaying themselves over any other app without notifying users.

Masquerading mobile malware FalseGuide infects 2 million Android devices

According to security firm Check Point, this feature required users to go through several menus to grant permissions to individual apps, and this caused problems to popular apps like Facebook Messenger who couldn’t display chat notifications over other apps. Considering their predicament, Google decided to do away with the feature with Android 6.0.1 Marshmallow update.

“This entails a significant potential for several malicious techniques, such as displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans. It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices,” noted Check Point researchers.

Just 50% Android smartphones received a security patch in 2016

“According to our findings, 74% of ransomware, 57% of adware, and 14% of banker malware abuse this permission as part of their operation. This is clearly not a minor threat, but an actual tactic used in the wild,” they added.

If you are using an Android phone running Android 6.0 Marshmallow OS or later, you can no longer withhold permissions to apps from displaying themselves on top of other apps. For malicious apps, this is a major boost. A malicious app can now display a permanent notification on your display screen and you won’t be able to get rid of it until you pay a ransom.

When Check Point contacted Google, they were told that Google will bring in a fix for the said vulnerability with Android O, the successor to Android 7.0 Nougat which is expected to launch later this summer. This means that Android phone users will have to contend with the security flaw for at least another month or two.

Samsung S8 to get McAfee protection as reports suggest Android apps ripe for hacking

With Android O, Google will introduce a new permission called TYPE_APPLICATION_OVERLAY which will ‘block windows from being positioned above any critical system windows, allowing users to access settings and block an app from displaying alert windows.’ Until then, Google’s Bouncer will continue to screen new Play Store apps for malware, but considering how a number of malware, adware and ransomware have made their way to users in the recent past, Bouncer is far from perfect.

Check Point suggests that users must avoid downloading fishy apps from Play Store by reading existing comments on the Play Store and must also protect their phones by installing the latest anti-malware security solutions.

Copyright Lyonsdown Limited 2021

Top Articles

The expert view: Accelerating the journey to the cloud

At a virtual seminar on 9 June 2021, sponsored by managed IT service provider Sungard Availability Services, eight senior IT decision makers gathered to discuss how organisations can accelerate their…

Ransomware attacks and the future role of the CISO - teissTalk

On 18 May, teissTalk host Jenny Radcliffe was joined by a panel of four cybersecurity experts in a wide-ranging discussion that covered government actions, ransomware attacks and the future of…

Communicating a Data Breach: Best Practices

When customers trust you with their personal data, they are expecting it to be protected. This means your response to a data breach is imperative and can make or break…

Related Articles

[s2Member-Login login_redirect=”” /]