May 10, 2017 by

40% of Android Devices at Risk of Screen Hijack Exploit

Security researchers have uncovered a significant flaw in Google’s popular mobile platform Android, allowing malicious attackers to target victims with a plethora of malware. While Google has acknowledged the flaw, the tech giant won’t fix the vulnerability until the next major update of the mobile OS.

The flaw was first discovered by security researchers at Check Point earlier this month. The vulnerability affects all Android devices from Android 6.0.1 (Marshmallow). That accounts for 40% of all Android tablets and phones, which are now vulnerable.

Since Android 6.0, Google tweaked the way app permissions work, labelling these intrusive permissions in different categories. For instance, permissions labelled ‘dangerous’ are only granted during the runtime of the application, following a manual approval by the user.

The exploit lays in an app permission called ‘SYSTEM_ALERT_WINDOW’, one that grants applications to display their intended screens on top of other applications, at any time. It’s a powerful enough permission that users are required to grant the permission with a prompt by heading to the Settings screen-à Apps to find the app to grant it permission to ‘Draw’ over other apps. This feature is common among the likes of Facebook’s messenger app that displays a little bubble head on top of the screen. In essence, the permission enables an app to display over another app without notifying the user.

Here’s where the problem lies. Researchers explain:

This entails a significant potential for several malicious techniques, such as displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans. It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices.

As a temporary solution, Google as applied a patch in Android version 6.0.1, allowing the Play Store app to grant run-time permissions used to grant SYSTEM_ALERT_WINDOW permissions to apps installed from the play store. However, this still allows

‘This is clearly not a minor threat, but an actual tactic used in the wild,” researchers noted. Altogether, researchers discovered that a staggering 74% of ransomware, 57% of adware and 14% of bunker malware actively abuse this permission.

With Google’s upcoming version in ‘Android O’ months away from release, the only way to stay secure is to keep an eye out for fishy apps on the Play Store or install a mobile security software that is capable of scanning and blocking malware.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Popular Freeware Site Found Hosting Bitcoin Stealing Malware

A dangerous bitcoin stealing malware that swaps user accounts with that of the attacker was...

Read more arrow_forward

Security Researchers Uncover ‘World’s Most Powerful Android Spyware’

Security researchers at Kaspersky have uncovered a new form of Android spyware with capabilities...

Read more arrow_forward

47 Million Emails/Day: Necurs Botnet Launches Massive Ransomware Campaign

A cybersecurity firm has revealed it has blocked as many as 47 million emails per day spewed by the...

Read more arrow_forward