Google has removed a crucial user permission requirement for apps in Android OS, allowing malicious apps to spam users with ransomware, adware and banking malware.
Google won't bring in a fix for this security risk until later this year when the company will introduce Android O.
Until recently, Android users could grant permissions to individual apps thanks to a new SYSTEM_ALERT_WINDOW feature which Google introduced with Android 6.0 Marshmallow OS. The feature enabled users to grant permissions only during runtime to prevent such apps from gaining dangerous permissions automatically, such as displaying themselves over any other app without notifying users.
According to security firm Check Point, this feature required users to go through several menus to grant permissions to individual apps, and this caused problems to popular apps like Facebook Messenger who couldn't display chat notifications over other apps. Considering their predicament, Google decided to do away with the feature with Android 6.0.1 Marshmallow update.
"This entails a significant potential for several malicious techniques, such as displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans. It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices," noted Check Point researchers.
"According to our findings, 74% of ransomware, 57% of adware, and 14% of banker malware abuse this permission as part of their operation. This is clearly not a minor threat, but an actual tactic used in the wild," they added.
If you are using an Android phone running Android 6.0 Marshmallow OS or later, you can no longer withhold permissions to apps from displaying themselves on top of other apps. For malicious apps, this is a major boost. A malicious app can now display a permanent notification on your display screen and you won't be able to get rid of it until you pay a ransom.
When Check Point contacted Google, they were told that Google will bring in a fix for the said vulnerability with Android O, the successor to Android 7.0 Nougat which is expected to launch later this summer. This means that Android phone users will have to contend with the security flaw for at least another month or two.
With Android O, Google will introduce a new permission called TYPE_APPLICATION_OVERLAY which will 'block windows from being positioned above any critical system windows, allowing users to access settings and block an app from displaying alert windows.' Until then, Google's Bouncer will continue to screen new Play Store apps for malware, but considering how a number of malware, adware and ransomware have made their way to users in the recent past, Bouncer is far from perfect.
Check Point suggests that users must avoid downloading fishy apps from Play Store by reading existing comments on the Play Store and must also protect their phones by installing the latest anti-malware security solutions.