May 10, 2017 by

40% of Android Devices at Risk of Screen Hijack Exploit

Security researchers have uncovered a significant flaw in Google’s popular mobile platform Android, allowing malicious attackers to target victims with a plethora of malware. While Google has acknowledged the flaw, the tech giant won’t fix the vulnerability until the next major update of the mobile OS.

The flaw was first discovered by security researchers at Check Point earlier this month. The vulnerability affects all Android devices from Android 6.0.1 (Marshmallow). That accounts for 40% of all Android tablets and phones, which are now vulnerable.

Since Android 6.0, Google tweaked the way app permissions work, labelling these intrusive permissions in different categories. For instance, permissions labelled ‘dangerous’ are only granted during the runtime of the application, following a manual approval by the user.

The exploit lays in an app permission called ‘SYSTEM_ALERT_WINDOW’, one that grants applications to display their intended screens on top of other applications, at any time. It’s a powerful enough permission that users are required to grant the permission with a prompt by heading to the Settings screen-à Apps to find the app to grant it permission to ‘Draw’ over other apps. This feature is common among the likes of Facebook’s messenger app that displays a little bubble head on top of the screen. In essence, the permission enables an app to display over another app without notifying the user.

Here’s where the problem lies. Researchers explain:

This entails a significant potential for several malicious techniques, such as displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans. It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices.

As a temporary solution, Google as applied a patch in Android version 6.0.1, allowing the Play Store app to grant run-time permissions used to grant SYSTEM_ALERT_WINDOW permissions to apps installed from the play store. However, this still allows

‘This is clearly not a minor threat, but an actual tactic used in the wild,” researchers noted. Altogether, researchers discovered that a staggering 74% of ransomware, 57% of adware and 14% of bunker malware actively abuse this permission.

With Google’s upcoming version in ‘Android O’ months away from release, the only way to stay secure is to keep an eye out for fishy apps on the Play Store or install a mobile security software that is capable of scanning and blocking malware.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Iowa Student Arrested for Changing Grades Using Keylogger Malware

A former student at the University of Iowa has been arrested in his hometown of Denver after using...

Read more arrow_forward

Second Largest Android Malware Outbreak Infects 21 Million Victims

Security researchers claim to have discovered the second largest outbreak to hit Google’s Android...

Read more arrow_forward

Dangerous Android Banking Trojan, SVPENG, modified with a Keylogger

In mid-July this year, it was discovered that a well-known banking malware,...

Read more arrow_forward