As the world tries to recover from the devastating effects of the WannaCry ransomware attack, a research team at Check Point Software Limited has found a worrisome loophole in Android’s security mechanism as well. The flaw was first reported by the company in a post on their website on May 9, 2017, but what is of actual concern is Google’s response to the matter.
According to the report, Google’s policy that grants permissions to apps which are directly installed from Google Play Store may allow attackers to hijack the screen of your Android Smartphone. This flaw exposes Android devices to numerous attacks such as banking malware, adware and most importantly ransomware. For those not aware, a ransomware attack is a malicious software in which the malware encrypts, block user’s access to data and asks for payment to unlock it.
As per the Check Point report, Google brought a new ‘permission model for apps’ with Android 6.0 Marshmallow. The new model comprises of several groups of permissions, some of which are considered to be ‘dangerous’ and thus only granted during the runtime of the app. However, while downloading an app, the user is required to grant certain necessary permissions and this in a way allows the app access to a ‘dangerous’ resource.
The research report lists another category which consists of a single permission called ‘SYSTEM_ALERT_WINDOW’. This ‘unique’ permission basically requires a user to run through several menus in orde to manually allow an app to use it. Unlike other permissions, the ‘SYSTEM_ALERT_WINDOW’ carries the potential to be exploited by malicious threats including phishing scams, fraudulent ads etc., mutual to the banking Trojans. The permission is also used by ransomware ‘to create a persistent on-top screen that prevents users from accessing their devices’. This same permission is also used by legitimate apps like Facebook’s Messenger to create the chat-heads on your screen. That is the problem.
The Check Point Research findings cite that 74 percent of ransomware, 57 per cent adware and 14 percent of banker malware ‘abuse’ this permission as part of their operations.
The Mountain View company, understanding the nature of this permission and the risk involved with it, created a temporary process that was applied in Android Marshmallow 6.0.1 version. The patch allows a Play Store app to grant run-time permissions which eventually grant SYSTEM_ALERT_WINDOW permission to the apps installed. This is equally dangerous as if you end up downloading a malicious app by mistake from the Play Store, it would automatically get the permissions for SYSTEM_ALERT_WINDOW which could hijack your phone.
Check Point Research notes that about 45 percent of the applications from Google Play uses the single SYSTEM_ALERT_WINDOW permission. Google utilises a malware scanner called “Bouncer”, to periodically scan the apps uploaded to Google Play Store. Unfortunately, regardless of the routine checks, malicious apps are still able to infiltrate the Google Play and make their way onto user devices.
The good news is that Check Point had reported the issue to Google, and the company in response said that the fault within the Android mechanism will be fixed. The bad news is, Google said that this issue will be fixed only in the upcoming Android O operating system. According to the report, a new restrictive permission ‘TYPE_APPLICATION_OVERLAY’ will be created that will block windows to overlay above any ‘critical system windows’. This permission will let users access settings and block apps from displaying alert windows.
Google’s next mobile operating system is still months away for even Google’s own devices, which get updates before anyone else. For those who use smartphones made by other manufacturers, this critical security update will come even later, if at all. Given the far-reaching impact of WannaCry ransomware, we can only hope that Google changes their mind, and issues a security patch at the earliest to address this issue.