An unpatched bug is leaving almost 40% of Android users at risk from screen-hijacking apps, a new report has found. And it's something that Google is unlikely to fix until the summer.
The problem, first spotted by researchers at Check Point, revolves around an oversight in Android permissions, and affects all phones running Android version 6.0.1 (Marshmallow) and above. According to Google's own stats, that's a whopping 38.3% of users left vulnerable.
Apps that are given permission to let elements sit on top of other app panes (like Facebook Messenger's chat bubbles, for instance) are at the heart of the problem. The permission for apps to do so relied on explicitly granting the 'SYSTEM_ALERT_WINDOW' permission to enable access, which was introduced in Android 6.0.0.
But so many popular apps were seeing complaints from users uncertain of how to activate the permission (particularly if they'd already once chosen not to restrict it) that Google removed the requirement for users to enable it altogether.
While legitimate apps breathed a sigh of relief, it also opened a backdoor through which dodgy apps could gain access to a device.
"As a temporary solution, Google applied a patch in Android version 6.0.1 that allows the Play Store app to grant run-time permissions, which are later used to grant SYSTEM_ALERT_WINDOW permission to apps installed from the app store", explains Check Point.
"This means that a malicious app downloaded directly from the app store will be automatically granted this dangerous permission."
The Play Store is able to police itself through Google's 'Bouncer' software, which scans apps for any potentially malicious intent. But devious app developers may still be able to fly under the radar, and use the permission loophole to takeover a users screen, run phishing attacks or play havoc with the phone's UI.
Worst of all, Google has stated that the issue will be fixed by Android O's release – but that's not expected until late this summer.
In the meantime then, Android users should stick to trusted sources for the app downloads, and definitely steer clear of third-party Android app stores that are known to be rife with malware.
Via The Register