How can Android app permissions be exploited by attackers?

A recently discovered Android app permissions flaw can expose users to attacks. Michael Cobb explains what the risks are and how Android O security will help users.

Check Point researchers discovered an Android app permissions flaw that exposes users to malware and adware attacks, and it will only receive a fix when Android Oreo -- also known as Android O -- is released. What is the vulnerability, and what types of apps does it affect? How will Android O security mitigate it?

This Android app permissions flaw arose because a Google Play security control, aimed at helping users better manage the permissions apps are granted, was weakened to improve usability and functionality.

Android apps can request wide-ranging permissions that, if granted to a malicious app, can compromise the device, its resources and the data stored on it.

Google introduced a new permission model in Android version 6 Marshmallow, enabling users to install apps without agreeing to important privacy-related permissions first. The first time an app needs to use a permission considered dangerous, it has to launch a permission request pop-up, making it easier for users to understand the context in which the app will use the permission. Users can choose whether or not to grant permissions to an app on a one-time or permanent basis, and can revoke a permission that has already been granted.

One extremely sensitive permission is SYSTEM_ALERT_WINDOW, which, when granted, enables an app to display a window over any other apps without notifying the user. This functionality can be abused to display fraudulent ads and overlay windows -- a common technique used by banking Trojans that create windows identical to a banking app's login page, as well as ransomware that places a persistent on-top screen. As granting this permission to the wrong type of app is potentially very dangerous, Google requires users to go through several menu choices to manually allow an app to use it.

However, legitimate apps that need the overlay functionality, such as Facebook's Messenger Chat Heads feature, found users couldn't or wouldn't approve the permission manually, adversely impacting how the apps worked.

To overcome this, Google decided to circumvent this security control in Android version 6.0.1, enabling the SYSTEM_ALERT_WINDOW permission by default on any apps that came from the Play store. This created a situation where Google's security system, Bouncer, which scans apps before they are made available via the Play Store, was the only barrier stopping malicious apps from being granted this potentially dangerous permission.

Hackers still have to find a way to bypass the Play Store's antimalware security before they can take advantage of this security hole, but that's not impossible. Bouncer doesn't have a 100% detection record; FalseGuide and Skinner are two recent examples of malicious apps that slipped through the vetting process. According to Check Point, which analyzed the Android app permissions flaw, 74% of ransomware, 57% of adware and 14% of banker malware abuse this permission.

Users are protected from this threat, as there is a new restrictive permission with Android O security called TYPE_APPLICATION_OVERLAY, which blocks windows from being positioned above any critical system windows, enabling users to access settings and block an app from displaying alert windows. Bypassing security mechanisms introduced in previous versions is never a good idea, and many vulnerable Android devices may not be upgraded to Oreo.

The open nature of the Android ecosystem means that enterprises that allow Android devices to connect to their network should ensure users receive regular security awareness training updates to keep them up to date with the latest threats and attack techniques they may encounter.

Users need to be selective in what they download, try to only use apps from trusted brands and always take time to read the comments left by other users. Finally, users should only grant permissions that have relevant context for the app's purpose.

Next Steps

Read more about the Android OS and Android fragmentation

Find out how Google is enhancing Android app privacy

Learn how Google improved security with Android N

This was last published in October 2017

Dig Deeper on Threats and vulnerabilities