Google said Tuesday that a permissions flaw that puts Android users at a heightened risk for malware, ransomware and adware attacks will not be fixed until the release of its next mobile OS, Android O. The vulnerability impacts an undisclosed number of apps hosted on Google Play, researchers at Check Point Software Technologies said.
“Based on Google’s policy which grants extensive permissions to apps installed directly from Google Play, this flaw exposes Android users to several types of attacks,” Check Point said.
Android O is expected to formally debut in the third quarter of 2017; an alpha version was released in March. The vulnerability, Check Point said, was introduced with the release of Android OS Marshmallow.
Check Point said the vulnerability exists because a rogue app developer could publish a malicious app on Google Play that would slip by Google’s automated malware scanner called Verify Apps. Once installed, the app could be instructed to always be persistent on the top screen of the Android device when it is active.
“This entails a significant potential for several malicious techniques, such as displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans. It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices,” Check Point wrote.
The vulnerability is tied to the way Google classifies and grants Android apps permissions to interact with a user’s Android handset. Google lumps system permissions into separate protection levels, one Normal and the other Dangerous.
Normal permission levels are given to apps that need to access data or resources outside the app’s sandbox, but represent very little risk to the user’s privacy, according to Google. For example, an app that checks to determine the version of the Android OS running needs Normal permissions. Normal permissions are automatically given to apps, no user interaction is required.
Dangerous permissions apply to apps that request access to a phone’s resources such as contacts, calendar, microphone or camera. These apps, when launched for the first time, require a user to explicitly grant permission for system resource access.
The vulnerability Check Point discovered applies to apps that pop-up or display windows on top of all other Android apps running on a handset. For example, Facebook has a Chat Head feature tied to its Messenger app. When a user receives a new Facebook message the profile image of the Facebook user pops-up above whatever application window a user is viewing to alert a user of a new message. This functionality is tied to an Android feature called System Alert Window.
Starting with its Marshmallow OS, Google classified the System Alert Window permission as Dangerous. However, Google granted an exception to app developers that wanted to access the System Alert Window function with their app, according to Check Point. The only condition to allowing the app developer to forgo asking users for permission to access this Dangerous resource was that the app must be downloaded via the Google Play app store. Android apps available via third-party Android app stores must request this permission.
Google allowed the exception because an average Android user would be alarmed and confused by an app permission request asking for access to System Alert Windows, said Daniel Padon, mobile threat researcher at Check Point. “Either users would never grant access System Alert Window or become conditioned to always grant access to Android system resources,” he said. “Either way, that’s not good.”
Check Point said with Android O, Google will modify this permission with a new more restrictive permission called TYPE_APPLICATION_OVERLAY, which blocks windows from being positioned above any critical system windows.
In one scenario, a victim downloads an app from Google Play that exploits this vulnerability. Now, the first time the app runs, it tries to, and succeeds, access the specific permissions on the device. The user sees no message requesting permissions or warnings, allowing a hacker to display an overlay window that carries out an extortion attack or a credential request.
In an analysis of past mobile threats, Check Point said persistent on-top screens are used in 74 percent of ransomware attacks, 57 percent of adware attacks and 14 percent of banker malware abuse. “This is clearly not a minor threat, but an actual tactic used in the wild,” Check Point wrote.
“This feature is used by several good apps, and is a feature all apps downloaded from Google Play can take advantage of. The problem is that it can easily be used for wrongdoing,” researchers said.
Still unclear is how Google will handle balancing permissions for apps such as Facebook, versus requiring users to step through layers of settings to grant permissions for legitimate apps that utilize this on-top persistence screen feature, Check Point said. Since most users won’t bother to approve the permission manually, legitimate apps could be hurt by the mitigation introduced in Android O, Check Point said.