Google’s plan to foil screen-hijacking malware in Android O

74% of ransomware, 57% of adware, and 14% of banker malware abuse a specific app permission to target nearly 40 percent of all Android users – by overlaying screens, displaying fraudulent ads and phishing scams over apps.

hijacking malware android o

The permission

The permission in question – SYSTEM_ALERT_WINDOW, introduced in Android 6.0 (Marshmallow) in October 2015 – forced users to explicitly bestow each app with permission to draw over other apps.

But this created a problem for legitimate apps, whose normal functioning depended on this permission – tech-unsavvy users did not understand the steps they had to go through to give that permission, or were spooked when a legitimate app asked that one permission separately.

So, a month later, Google released Android version 6.0.1, and among the things that it changed was the following: all apps downloaded from Google Play were granted run-time permissions, which are later used to grant the SYSTEM_ALERT_WINDOW permission.

“This means that a malicious app downloaded directly from the app store will be automatically granted this dangerous permission,” the Check Point researchers pointed out. This move effectively nixed the security mechanism introduced in the previous version of the mobile OS.

A change is planned, but it’s far off

Google – and Android users – then continue to rely on Google Bouncer, the company’s scanning tool for spotting malicious before they are offered on Google Play. But, as we have almost daily proof, this defense in not enough.

Google is reportedly planning a better solution for this particular problem, to be implemented in the next big Android release – “Android O” (the final name is yet to be chosen).

“This will be done by creating a new restrictive permission called TYPE_APPLICATION_OVERLAY, which blocks windows from being positioned above any critical system windows, allowing users to access settings and block an app from displaying alert windows,” the researchers explained.

Unfortunately, this change is still quite a way off – Android O will be released in summer or even as late as autumn 2017.

In the meantime, users can protect themselves against these threats by being careful what they download from Google Play, and by using security apps that identify and block malware.

Also, it’s difficult to say how many users will upgrade to the latest Android offering once it’s released. Android Nougat (7.0) has been out for nearly a year, and only 6.6 percent of Android users are using it.

It’s also good to note that over 60 percent of Android users are still stuck with Android Lollipop (5.0 and 5.1) or earlier, providing malware peddlers with a huge number of potential victims that have poor defenses at their disposal. Maybe that’s a problem Google could also try to find a solution for.