There’s recently been a lot of media coverage about a so-called Android vulnerability related to a feature called SYSTEM_ALERT_WINDOW.
Simply put, this is a special Android permission that grants an app the right to pop up content over another app, like a telephone app does if a call comes in while you’re browsing.
Obviously, this sort of power is ripe for abuse – a crook could make the popped-over window look exactly like what’s underneath, for example, and therefore phish you into putting your password into the wrong form, or trick you into clicking a button to approve the wrong action.
For this reason, according to security researchers at Check Point, Google made the SYSTEM_ALERT_WINDOW permission into one that couldn’t be used surreptitiously, starting in Android 6.
The first time an app tried to assert its right to write over the top of another app, you’d get a security warning that required explicit approval.
(That’s not a panacea, of course – generic-sounding security dialogs often get clicked away regardless – but it at least gave you a fighting chance of detecting risky app behaviour.)
It seems, however, that many popular apps, such as Facebook and Pocket, used the SYSTEM_ALERT_WINDOW feature.
Users were therefore getting security warnings for apps that they otherwise considered to be perfectly safe.
As a result, Google backed off a bit from its security stance: in the Android 6.0.1 release, the alert window that popped up to warn you that a SYSTEM_ALERT_WINDOW was about to pop up…
…was suppressed if the app had come from Google Play.
You might think, if Google felt strongly enough to consider SYSTEM_ALERT_WINDOW a potential malware-related security problem in the first place, that it would take extra care over approving Play Store apps that made use of it.
According to Check Point, however, many apps that abuse SYSTEM_ALERT_WINDOW to create malicious visual overlays have been found in Google Play – sufficiently many, in fact, that the media has dubbed this an actively exploited vulnerability.
Google doesn’t seem to agree, as it says that a “fix” will be out only in the next release of Android, version O, which is likely to appear more than 90 days from now. (90 days is the longest that Google’s Project Zero thinks it should take to patch a security hole.)
Vulnerability or not?
We’re inclined to concur that the SYSTEM_ALERT_WINDOW permissions issue isn’t really a vulnerability – it’s more of a security improvement that ended up shelved, which is not the same thing as what we usually mean when we talk about security vulnerabilities.
SECURITY GLOSSARY: Vulnerabilities and exploits explained ►
The risk here is at a much broader and more dangerous level, namely that apps containing obvious coding abuses – of any sort, not just abuses related to pop-over windows – are getting through the doorway into Google’s walled garden in the first place.
Google Play is a bit like a happening nightclub: the more people you attract, the more you attract people, so you want to make it popular and easy to get in.
But the faster you let people in, the less time you have to spend on keeping the troublemakers out up front.
In other words, sticking to Google Play isn’t a bad idea, but it can definitely give you a false sense of security.
Businesses are therefore in a bit of a Catch 22 over this: if you block Google Play, you may end up turning on Android’s “Allow installation apps from unknown sources” instead.
But “unknown sources” opens you up to a massive menagerie of mobile markets, in many of which almost anything goes, especially malware.
What to do?
For corporate management of mobile devices, it’s worth considering some sort of centralised mobile control software.
This can help your IT team to prevent egregious mistakes – for example, by unobtrusively blocking apps that no one has heard of yet and that therefore represent an as-yet unknown risk – while still allowing fun and freedom among better-trusted parts of the ecosystem.
That way, you can keep things locked down to Google Play, which is a good start, but also impose your own additional rules to keep you safe when Google doesn’t.
For your own Android device at home, why not try our Mobile Security for Android tool – it’s a free download. (Er, yes, you get it from the Play Store.)
Darryl Gittins
Gee willikers, if it’s any other software company that is “late” patching vulnerabilities, Google’s “Project Zero” is all over them like a dirty shirt, threatening to divulge AND actually divulging details if the company does not issue a fix according to Google’s expectations, much to the detriment the customers affected. But Google themselves can sit around and twiddle their thumbs? Maybe MS or Apple should divulge the details of the vulnerabilities to that hackers can fully reap the benefit of the information? You know, like Google does to MS and Apple? Or rather, to be specific, like Google does to MS and Apple customers?
Laurence Marks
Well, that’s silly! Why doesn’t Google modify Android so “Open A System_Alert_Window” is a “permission” just like “Access Contacts” or “Send SMS.” Then at the time of install, the user would have a chance to decide whether to grant the permission. Then force an update of all apps using System_Alert_Window so users can see and decide on the added permission.
It would be even better if Android had granular permissions, e.g., Allow SMS but forbid System_Alert_Window, instead of an all-or-none approach.
(I just deleted an NOAA Hurricane Tracker app which was relaying government data but popping up fake AV warning all the time. I couldn’t see a way to report it to Google–all I could do was give it a bad review.
Laurence Marks
What’s the plan for those of us stuck on Android 5. Lenovo, you know who you are. Moto E, Generation 2, US version XT1527
seanisko
Is it possible to detect over draws already? I don’t see why there isn’t a flag or option when instantiating a dialogue to detect that. Google already blocks accepting permissions with Android six.
2CentSource
This is a problem. I Love google but this needs to get fixed ASAP