A serious security vulnerability in Android was discovered by CheckPoint employees. Google knows about the problem, but unfortunately is not able to fix it easily. Unfortunately, the vulnerability was caused by inaccurate revision of the Android Marshmallow application authentication mechanism. It is currently an open gateway to all kinds of malware, ransomware, and other viruses that are lurking on users even in the Google Play store.

Such are the consequences of gaps that exploit the weaknesses of the architecture of operating systems. Their repair is so complex that the rebuilding of the major components of the system is required, and even some fundamental assumptions have to be changed. Therefore, developers in such cases are preparing a workaround fix that only alleviates the effects of the problem but does not solve it. The full solution is only available in the next release. Google plans to do the same thing.

The vulnerability discovered by Check Point will be fixed in Android O, i.e. Oreo.

The problem appeared in Android Marshmallow version 6.0.0, where Google has introduced a new permission model for the application. It consists of several groups, some of them are considered as dangerous and are granted only for the duration of the application. In practice, this means that the user must allow the application to access these permissions exactly when the program asks for it the first time. In addition, there is a special privilege called SYSTEM_ALERT_WINDOW, that is Draw over other apps. At first, users were supposed to activate this permission manually from the Android settings.

However, it turned out that many useful and popular applications (such as YouTube and Facebook Messenger) use this functionality. Therefore, with the Android Marshmallow 6.0.1 update, applications installed from the Google Play store have SYSTEM_ALERT_WINDOW privileges. Unfortunately, 74% of all ransomware, 57% of adware and 14% of malware use this method. Also, this type of software has been even found within apps in Google Play. It is masked by the encoding of malicious code.

Google trusts its Bouncer mechanism.

Apps sent to Google Play are scanned for strange behaviour. The whole process involves running the application in a virtual environment (i.e. Android emulator) and monitoring application behaviour. However, malware developers have learned to create viruses that are able to recognize whether the application was launched on an emulator or a real device. In this way, harmful procedures are started only if the real equipment is detected. Therefore, the Bouncer is not able to capture all threats.

Source: CheckPoint