Google is planning to fix a weakness in some versions of Android that enables malicious apps to take advantage of a special permission in the operating system to install ransomware, show malicious ads, or tae other unwanted actions.
The permission was introduced in Android 6.0 and it can allow an app to be displayed on top of another app, obscuring the lower-level app. In order to use the SYSTEM_ALERT_WINDOW permission, an app has to have explicit, manual approval from the user. The permission is quite powerful and many forms of Android malware and ransomware are known to abuse it in one way or another.
“The reason SYSTEM_ALERT_WINDOW is unique is the extensive capability it withholds, by enabling an app to display over any other app without notifying the user. This entails a significant potential for several malicious techniques, such as displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans. It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices,” researchers from Check Point wrote in an analysis of the issue.
That manual approval can be a problem for some legitimate apps that need it to work properly. To try and address this problem, Google added a system in Android 6.0.1 that allows the official Play Store app to give apps downloaded from the store run-time permissions that can later be used to get the SYSTEM_ALERT_WINDOW permission. But that also means that a malicious app downloaded from Play can get that permission.
“Based on Check Point research, nearly 45% of the applications using the SYSTEM_ALERT_WINDOW permission are apps from Google Play,” the Check Point researchers said.
“With the granting of SYSTEM_ALERT_WINDOW permission to apps installed from the app store, Google effectively bypasses the security mechanism introduced in the previous version.”
Google is readying a fix for the weakness, which will be included in Android O, which is due out in the third quarter of this year. The patch will include a new permission that will restrict any apps from blocking critical system windows.