Right now, there’s a vulnerability in Android Marshmallow and higher that might never see a fix. Discovered by security researchers at Check Point, the vulnerability arises from a new permission model for Android apps that was introduced when Android 6.0 Marshmallow first came out.
At the time, on Android 6.0.0 Marshmallow, users had to grant permission manually to apps that were designed to display their content on top of other apps (Settings -> Apps -> Draw over other apps.) Take Facebook Messenger’s chat heads, for example, which stay on top no matter which app you’re on.
However, after app developers complained that this multi-step approval process was too cumbersome, Google chose to remove the SYSTEM_ALERT_WINDOW permission altogether, on a patch that came with Android 6.0.1 Marshmallow. Essentially, it gave any app installed from Play Store this dangerous permission by default. And that’s where the problem started.
This is what Check Point says:
“This entails a significant potential for several malicious techniques, such as displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans.
“It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices. According to our findings, 74% of ransomware, 57% of adware, and 14% of banker malware abuse this permission as part of their operation.
This is clearly not a minor threat, but an actual tactic used in the wild.”
The vulnerability is massive because 38.3% of all Android device users are on Android Marshmallow, with no option to upgrade to Android 7.0 Nougat in several cases. Moreover, with Android O likely to exclude even more devices, that’s a huge chunk of the Android user base left open to attacks based on this vulnerability.
And with Check Point saying that this is an actual tactic used in the wild, with a significant percentage of ransomware and adware using this particular permission-based vulnerability, we could actually see an increase in the number of attacks without even realizing that there’s an epidemic of attacks being mounted using this flaw.
As a first step to ensure your safety, only download apps from the Google Play Store. Third-party app stores don’t have the robust kind of malware detection technologies used by Google. Of course, Google’s “Bouncer”, which scans apps uploaded to Play Store, is not infallible, but the chances of a malware-loaded app being approved for Play Store are far slimmer than on other app stores.
Google is aware of the potential threats because of this vulnerability, but they’ve only said they will address the problem in Android O, which is several months away from the final release. The general rollout to the public might not even happen until 2018. The new restrictive permission, called TYPE_APPLICATION_OVERLAY, will block windows from being positioned above any critical system windows, allowing users to access settings and block an app from displaying alert windows.
But there’s no guarantee that all Android Marshmallow users will be able to upgrade to Android O when it comes. That means the bulk of Android Marshmallow devices – nearly one in four Android devices around the world – may never, ever see a fix for this vulnerability.
What Can an Android Marshmallow User Do?
For now, beware of malicious apps, even from Play Store. Read the reviews to see if there’s anything fishy going on, and only grant permissions that are relevant to the app’s functionality. Additionally, you can use advanced security measures to protect your device from malware. But we do not recommend any anti-virus apps for your Android phone, especially if your device is running slow and struggling with resources as it is.
That said, if you keep your Android Marshmallow device on its default settings, you’re fairly protected already by Verify Apps, a Google Play Services functionality. As long as you keep your app downloads restricted to Play Store and other 100% trustworthy sources, it should keep you safe for the most part.
Source: Check Point