SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
12 May 2017

This Android flaw is used by most ransomware

The two newest versions of Android are vulnerable to a permissions feature being exploited by ransomware and banking malware.

Security firm Check Point has examined Android's permission model and discovered it contains an odd bug that has become a favorite tool for ransomware, adware, and banking trojans to hijack victims' screens with phishing pages and extortion demands.

This problem stems from an extremely sensitive permission in Android 6.0 Marshmallow, the most widely used version of Android, called SYSTEM_ALERT_WINDOW. The permission allows an app to create windows that overlay all other apps. "According to our findings, 74 percent of ransomware, 57 percent of adware, and 14 percent of banker malware abuse this permission as part of their operation. This is clearly not a minor threat, but an actual tactic used in the wild," Check Point's mobile research team notes.

Given its potential for abuse, Google initially required the user to approve this permission manually through the Settings screen, which was a harder process than permissions for apps to access "normal" resources, such as Wi-Fi state, and "dangerous" resources, such as the camera, microphone, or contacts.

However, in Android 6.0.1, Google made an exception to the process for granting permission to SYSTEM_ALERT_WINDOW, so long as the app was installed from the Play Store. It did this because the manual process was causing troubles for legitimate apps, like Facebook Messenger, which relied on the feature to support its floating chat heads, according to Check Point.

"As a temporary solution, Google applied a patch in Android version 6.0.1 that allows the Play Store app to grant run-time permissions, which are later used to grant SYSTEM_ALERT_WINDOW permission to apps installed from the app store. This means that a malicious app downloaded directly from the app store will be automatically granted this dangerous permission," the firm notes.

Google Play is by far the safest place to install Android apps. However, if the use of this permission is as widespread as Check Point says, the exception may have exposed Google Play users to greater risk. Whether it was a wise choice depends heavily on Google's ability to prevent malware from reaching its app store.

The security firm notes that "nearly 45 percent of the applications using the SYSTEM_ALERT_WINDOW permission are apps from Google Play". Not all those apps are necessarily malicious, but the Google Play malware checker, known as Bouncer, doesn't have a perfect record for detecting malware.

Google recently removed several Android apps carrying the BankBot malware targeting European and Australian banking customers, which displayed overlays identical to each targeted bank app's login pages.

Check Point has also raised the alarm over several examples of adware hiding inside seemingly legitimate apps on Google Play. According to Check Point, Google will address this issue in Android O, which is currently in developer preview and is scheduled for release in the third quarter this year. The fix will be in the form of a new restrictive permission called TYPE_APPLICATION_OVERLAY.

The permission "blocks windows from being positioned above any critical system windows, allowing users to access settings and block an app from displaying alert windows", according to Check Point.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
Android information leaks
Source:
ZDNet
1732
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015