40% of Android devices are at risk of screen hijack exploit

But Google doesn't plan to fix it until late summer

A currently unpatched exploit in the Android operating system means almost 40% of users are vulnerable to screen-hijacking apps, but it is unlikely to be fixed until the summer.

The bug, which was first spotted by researchers at Check Point, is caused by a development oversight in Android permissions, which in the past required users to manually grant downloaded applications the ability to display content on top of other app panes.

However following complaints from users who found it difficult to manually whitelist each app, the Android 6.0.1 'Marshmallow' update made this process automatic, which was good news for legitimate apps like WhatsApp and Facebook Messenger.

It appears that fix has meant apps hiding malicious codes are able to bypass security also being automatically granted the same access, specifically the 'SYSTEM_ALERT_WINDOW' permission. According to Google's own statistics, the vulnerability will be active on close to 40% of all Android devices.

"As a temporary solution, Google applied a patch in Android version 6.0.1 that allows the Play Store app to grant run-time permissions, which are later used to grant SYSTEM_ALERT_WINDOW permission to apps installed from the app store," the Check Point research team explained in a blog post. "This means that a malicious app downloaded directly from the app store will be automatically granted this dangerous permission."

This permission is particularly dangerous as it allows an app to display over any other app, without notifying the user. This means apps are able to display fraudulent adverts or links to content hosting malicious code, which are heavily used in banking Trojans.

"It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices," explained the team. This particular permissions exploit is used by 74% of all ransomware, 57% of adware and 14% of banker malware, according to the report, clearly demonstrating that this is a widespread tactic in the wild.

What's worrying is that Google has stated that a fix will be available in time for the release of Android O, which isn't expected until late summer. In the meantime, Check Point has urged users to beware of dodgy-looking apps and to check the comments left by other users.

Although the Play Store is able to police the apps being uploaded to its platform, malicious content is repeatedly bypassing security checks. Check Point recently disclosed the discovery of a new malware strain hidden inside game guides hosted on the Play Store, thought to have infected close to two million Android devices over the past seven months.

Paul Ducklin, senior technologist at security software firm Sophos, believes companies are in a "Catch 22" situation over Google Play: "If you block Google Play, you'll probably end up turning on Android's 'Allow installation apps from unknown sources' instead. And 'unknown sources' opens you up to a massive menagerie of mobile markets."

"Companies should consider some sort of central mobile device management software that helps IT to prevent egregious mistakes, such as quietly blocking apps that no one has heard of yet, because they represent an as-yet unknown risk, while still allowing fun and freedom among better-trusted parts of the ecosystem."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

How to unroot Android
Google Android

How to unroot Android

9 Sep 2020
Android malware vendor teams with marketer to promote new malware
malware

Android malware vendor teams with marketer to promote new malware

11 Jan 2021
Android and iOS users blackmailed by 'Goontact' spyware
spyware

Android and iOS users blackmailed by 'Goontact' spyware

16 Dec 2020
Python-based malware steals Outlook files and browser credentials
malware

Python-based malware steals Outlook files and browser credentials

15 Dec 2020

Most Popular

School laptops sent by government arrive loaded with malware
malware

School laptops sent by government arrive loaded with malware

21 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021