40% of Android devices are at risk of screen hijack exploit

A currently unpatched exploit in the Android operating system means almost 40% of users are vulnerable to screen-hijacking apps, but it is unlikely to be fixed until the summer.

The bug, which was first spotted by researchers at Check Point, is caused by a development oversight in Android permissions, which in the past required users to manually grant downloaded applications the ability to display content on top of other app panes.

However following complaints from users who found it difficult to manually whitelist each app, the Android 6.0.1 'Marshmallow' update made this process automatic, which was good news for legitimate apps like WhatsApp and Facebook Messenger.

It appears that fix has meant apps hiding malicious codes are able to bypass security also being automatically granted the same access, specifically the 'SYSTEM_ALERT_WINDOW' permission. According to Google's own statistics, the vulnerability will be active on close to 40% of all Android devices.

"As a temporary solution, Google applied a patch in Android version 6.0.1 that allows the Play Store app to grant run-time permissions, which are later used to grant SYSTEM_ALERT_WINDOW permission to apps installed from the app store," the Check Point research team explained in a blog post. "This means that a malicious app downloaded directly from the app store will be automatically granted this dangerous permission."

This permission is particularly dangerous as it allows an app to display over any other app, without notifying the user. This means apps are able to display fraudulent adverts or links to content hosting malicious code, which are heavily used in banking Trojans.

"It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices," explained the team. This particular permissions exploit is used by 74% of all ransomware, 57% of adware and 14% of banker malware, according to the report, clearly demonstrating that this is a widespread tactic in the wild.

What's worrying is that Google has stated that a fix will be available in time for the release of Android O, which isn't expected until late summer. In the meantime, Check Point has urged users to beware of dodgy-looking apps and to check the comments left by other users.

Although the Play Store is able to police the apps being uploaded to its platform, malicious content is repeatedly bypassing security checks. Check Point recently disclosed the discovery of a new malware strain hidden inside game guides hosted on the Play Store, thought to have infected close to two million Android devices over the past seven months.

Paul Ducklin, senior technologist at security software firm Sophos, believes companies are in a "Catch 22" situation over Google Play: "If you block Google Play, you'll probably end up turning on Android's 'Allow installation apps from unknown sources' instead. And 'unknown sources' opens you up to a massive menagerie of mobile markets."

"Companies should consider some sort of central mobile device management software that helps IT to prevent egregious mistakes, such as quietly blocking apps that no one has heard of yet, because they represent an as-yet unknown risk, while still allowing fun and freedom among better-trusted parts of the ecosystem."

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.