40% of Android devices are at risk of screen hijack exploit

But Google doesn't plan to fix it until late summer

A currently unpatched exploit in the Android operating system means almost 40% of users are vulnerable to screen-hijacking apps, but it is unlikely to be fixed until the summer.

The bug, which was first spotted by researchers at Check Point, is caused by a development oversight in Android permissions, which in the past required users to manually grant downloaded applications the ability to display content on top of other app panes.

However following complaints from users who found it difficult to manually whitelist each app, the Android 6.0.1 'Marshmallow' update made this process automatic, which was good news for legitimate apps like WhatsApp and Facebook Messenger.

It appears that fix has meant apps hiding malicious codes are able to bypass security also being automatically granted the same access, specifically the 'SYSTEM_ALERT_WINDOW' permission. According to Google's own statistics, the vulnerability will be active on close to 40% of all Android devices.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"As a temporary solution, Google applied a patch in Android version 6.0.1 that allows the Play Store app to grant run-time permissions, which are later used to grant SYSTEM_ALERT_WINDOW permission to apps installed from the app store," the Check Point research team explained in a blog post. "This means that a malicious app downloaded directly from the app store will be automatically granted this dangerous permission."

This permission is particularly dangerous as it allows an app to display over any other app, without notifying the user. This means apps are able to display fraudulent adverts or links to content hosting malicious code, which are heavily used in banking Trojans.

"It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices," explained the team. This particular permissions exploit is used by 74% of all ransomware, 57% of adware and 14% of banker malware, according to the report, clearly demonstrating that this is a widespread tactic in the wild.

What's worrying is that Google has stated that a fix will be available in time for the release of Android O, which isn't expected until late summer. In the meantime, Check Point has urged users to beware of dodgy-looking apps and to check the comments left by other users.

Although the Play Store is able to police the apps being uploaded to its platform, malicious content is repeatedly bypassing security checks. Check Point recently disclosed the discovery of a new malware strain hidden inside game guides hosted on the Play Store, thought to have infected close to two million Android devices over the past seven months.

Paul Ducklin, senior technologist at security software firm Sophos, believes companies are in a "Catch 22" situation over Google Play: "If you block Google Play, you'll probably end up turning on Android's 'Allow installation apps from unknown sources' instead. And 'unknown sources' opens you up to a massive menagerie of mobile markets."

Advertisement - Article continues below

"Companies should consider some sort of central mobile device management software that helps IT to prevent egregious mistakes, such as quietly blocking apps that no one has heard of yet, because they represent an as-yet unknown risk, while still allowing fun and freedom among better-trusted parts of the ecosystem."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/mobile/23617/the-best-smartphones-to-buy
Mobile

Best smartphone 2019: Apple, Samsung and OnePlus duke it out

24 Dec 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

23 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020