Android 6.0.1 Marshmallow brought a major security flaw to the mix, but Google won't fix it until Android 8.0 O hits the scene.
This means that the two latest Android versions — Marshmallow and Nougat — are plagued by that vulnerability, which consists of a permissions flaw that can be exploited by banking malware and ransomware.
Android Permissions Flaw Grants Access To Malware, Ransomware
The disturbing revelation comes from security firm Check Point, which took a closer look at the permissions model Google adopted in Android and found out that it contains a bug that serves as a tool for adware, ransomware and banking Trojan malware to take over victims' screens with extortion and phishing pages.
"Based on Google's policy which grants extensive permissions to apps installed directly from Google Play, this flaw exposes Android users to several types of attacks, including ransomware, banking malware and adware," Check Point reveals. "Check Point reported this flaw to Google, which responded that this issue is already being dealt with in the upcoming version of Android, currently dubbed 'Android O.'"
Android 6.0 Marshmallow is currently the most widely used Android version, but it has a sensitive permission called SYSTEM_ALERT_WINDOW, which allows apps to push windows that overlay other apps. The major security flaw stems precisely from this permission.
Check Point's report offers some alarming stats. Upon examining Android's permissions model, it found that a whopping 74 percent of ransomware, 57 percent of adware and 14 percent of banking malware took advantage of this permission to carry out their shady operation. The security firm points out that this is obviously a major threat, as it's a real tactic that attackers widely use.
Android Permissions Model
In earlier versions of Android, Google required users to manually approve this permission through the Settings screen, which reduced the potential for malicious incidents since it was a tougher process. Allowing apps to access resources such as Wi-Fi state, camera, contacts or microphone without manually approving this permission dramatically increased the potential for abuse, and the rates of abuse went up.
Why? Well, starting with Android 6.0.1 Marshmallow, Google modified the process for approving permissions to SYSTEM_ALERT_WINDOW if the app came from the Google Play Store.
Google added the exception because some legitimate apps such as Facebook Messenger need that permission to support features such as floating chat heads, but the manual permission process hindered its success as users often failed to grant the necessary permissions in their devices' system settings. In other words, Google added that exception to ensure that legitimate apps function in an optimal manner, but it backfired.
Check Point explains that Google issued a patch in Android 6.0.1 as a temporary workaround that enabled the Play Store app to grant run-time permissions. Those permissions later served to grant SYSTEM_ALERT_WINDOW permission to all apps installed directly from the Play Store, which meant that any malicious app would get permission automatically as long as it was installed from the Play Store.
While Google Play is the safest source for installing legitimate Android apps, some malicious apps still slip through the cracks and if this permission has been as widely abused as Check Point indicates, the permissions exception may have increased the risk for malware for Google Play users. Ultimately, it comes down to how efficiently Google prevents malware from hitting Google Play Store in the first place.
Check Point notes that Google will fix this permissions flaw with Android O, which is slated to launch in the third quarter of this year.