Android O-mg. Google won't kill screen hijack nasties on Android 6, 7 until the summer
Try not to download anything nasty from the Play Store
Nearly 40 per cent of Android users are vulnerable to a security design flaw that Google won't fix until the next major revision of the mobile operating system.
The cockup is a strange one, and was spotted by researchers. It affects Android 6.0.1 (aka Marshmallow) phones and above, which according to the official Android dashboard, means 38.3 per cent of devices are hit.
When Android 6.0.0 landed, Googled added an app permission called SYSTEM_ALERT_WINDOW: this allows applications to display stuff on the screen over other apps whenever they like. It's rather powerful. So powerful, you, the user, have to explicitly grant the permission. You can do this by going to Settings, then Apps, find the app to grant the permission, and tap on Draw over other apps to enable or disable access. The first time the app tries to pop open an overlay, and SYSTEM_ALERT_WINDOW permission isn't granted, you'll be asked if you're OK with the intrusion.
Great, so far, so good. Except that requirement for getting permission to display the overlay threatened popular apps like Facebook's Messenger, which want to display little bubbles on the screen over other programs to provide a way of diving back into ongoing conversations. Users wouldn't or didn't know how to enable access so the application wouldn't work properly.
So what did Google do? In Android 6.0.1 it removed the requirement for explicit user permission to use SYSTEM_ALERT_WINDOW. Now apps downloaded from the Google Play store can use it as they wish without the user's explicit blessing – which means the software can force ads onto the screen, potentially phish victims, hijack taps on the UI, takeover the screen until a ransom is paid, and so on.
The one thing saving you is to not install dodgy apps from the Play store, and rely on Google policing it properly to remove crappy apps abusing SYSTEM_ALERT_WINDOW. According to Check Point the special permission is used in 74 per cent of ransomware, 57 per cent of adware, and 14 per cent of banking malware in circulation.
"Since Google understood the problematic nature of this [SYSTEM_ALERT_WINDOW] permission, and the apparent risks for user privacy it created the distinct process mentioned above to approve it," said Check Point's research team on Tuesday.
"However, this soon caused problems, as this permission is also used by legitimate apps, such as Facebook, which requires it for its Messenger chat heads feature. Since most users won’t be able to approve the permission manually, such apps could be hurt by it.
"As a temporary solution, Google applied a patch in Android version 6.0.1 that allows the Play Store app to grant run-time permissions, which are later used to grant SYSTEM_ALERT_WINDOW permission to apps installed from the app store. This means that a malicious app downloaded directly from the app store will be automatically granted this dangerous permission."
Google will address the design blunder in Android O, which will most likely be out this summer or autumn. Fingers crossed you get the update if you're on Android 6 or 7 today.
In the meantime, Google will continue to rely on its Bouncer software, which automatically checks apps in its store for evil intent, and removes them if they are naughty – and abusing overlay windows will get you kicked out. Google also has human inspectors that follow up and go through code that raises a red flag.
But as we have seen multiple times, Google's system is not perfect (neither is Apple's, for that matter) and rogue apps get into the Store. Last month nearly 50 applications were pulled from the Play Store because they contained ad fraud software. In April similar apps were also removed after an investigation.
But the real danger is from third-party Android app stores. These are already known to be a seething mass of malware, but are still popular, particularly in Asia and Russia – and the SYSTEM_ALERT_WINDOW permission is ripe for abuse in these unregulated souks.
A spokesperson for Google was not available for comment. ®