Big time Android flaw won't be fixed until next build is released

A serious flaw discovered on Android by cyber security firm Check Point is known by Google, but won't be fixed until the next build of the Android OS is released later this year. The flaw can lead to a number of malware attacks resulting in "ransomware, banking malware and adware." And while Android O does remove this vulnerability from the software, it still leaves a large number of phones not expected to receive the upgrade, wide open for attack.

It all revolves around a permissions category that contains one permission, SYSTEM_ALERT_WINDOW. Originally added with Android Marshmallow, this permission was supposed to be manually agreed to by the phone's user. To prevent them from having to grant permission to add functionality to apps already installed, in Android 6.0.1 Google allowed SYSTEM_ALERT_WINDOW to be enabled by default with any app coming from the Google Play Store. However, this left Android handsets open to "displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans," according to Check Point. The latter says that 74% of ransomware, 57% of adware, and 14% of banker malware uses this flaw to inflict real time harm.

This is not an opening that can be theoretically abused. According to Check Point, these things are happening, now. And while Android O will prevent this by using a new restrictive permission called TYPE_APPLICATION_OVERLAY. To protect Android users until the next build of Android is disseminated, Check Point gives simple, but solid advice. "Beware of fishy apps," it says, even those in the Google Play Store. They also advise those installing apps to read comments written by others, and watch for permissions that are not relevant to the workings of the app being installed.

source: CheckPoint via BGR