Channel, Networking

Google Won’t Fix Android ‘contentjacking’ Flaw for Months

Phone in the dark

There’s recently been a lot of media coverage about a so-called Android vulnerability related to a feature called SYSTEM_ALERT_WINDOW.

Simply put, this is a special Android permission that grants an app the right to pop up content over another app, like a telephone app does if a call comes in while you’re browsing.

Obviously, this sort of power is ripe for abuse – a crook could make the popped-over window look exactly like what’s underneath, for example, and therefore phish you into putting your password into the wrong form, or trick you into clicking a button to approve the wrong action.

For this reason, according to security researchers at Check Point, Google made the SYSTEM_ALERT_WINDOW permission into one that couldn’t be used surreptitiously, starting in Android 6.

The first time an app tried to assert its right to write over the top of another app, you’d get a security warning that required explicit approval.

(That’s not a panacea, of course – generic-sounding security dialogs often get clicked away regardless – but it at least gave you a fighting chance of detecting risky app behavior.)

It seems, however, that many popular apps, such as Facebook and Pocket, used the SYSTEM_ALERT_WINDOW feature.

Users were therefore getting security warnings for apps that they otherwise considered to be perfectly safe.

As a result, Google backed off a bit from its security stance: in the Android 6.0.1 release, the alert window that popped up to warn you that a SYSTEM_ALERT_WINDOW was about to pop up…

…was suppressed if the app had come from Google Play.

You might think, if Google felt strongly enough to consider SYSTEM_ALERT_WINDOW a potential malware-related security problem in the first place, that it would take extra care over approving Play Store apps that made use of it.

According to Check Point, however, many apps that abuse SYSTEM_ALERT_WINDOW to create malicious visual overlays have been found in Google Play – sufficiently many, in fact, that the media has dubbed this an actively exploited vulnerability.

Google doesn’t seem to agree, as it says that a “fix” will be out only in the next release of Android, version O, which is likely to appear more than 90 days from now. (90 days is the longest that Google’s Project Zero thinks it should take to patch a security hole.)

Vulnerability or not?

We’re inclined to concur that the SYSTEM_ALERT_WINDOW permissions issue isn’t really a vulnerability – it’s more of a security improvement that ended up shelved, which is not the same thing as what we usually mean when we talk about security vulnerabilities.

The risk here is at a much broader and more dangerous level, namely that apps containing obvious coding abuses – of any sort, not just abuses related to pop-over windows – are getting through the doorway into Google’s walled garden in the first place.

Google Play is a bit like a happening nightclub: the more people you attract, the more you attract people, so you want to make it popular and easy to get in.

But the faster you let people in, the less time you have to spend on keeping the troublemakers out up front.

In other words, sticking to Google Play isn’t a bad idea, but it can definitely give you a false sense of security.

Businesses are therefore in a bit of a Catch 22 over this: if you block Google Play, you may end up turning on Android’s “Allow installation apps from unknown sources” instead.

But “unknown sources” opens you up to a massive menagerie of mobile markets, in many of which almost anything goes, especially malware.

What to do?

For corporate management of mobile devices, it’s worth considering some sort of centralised mobile control software.

This can help your IT team to prevent egregious mistakes – for example, by unobtrusively blocking apps that no one has heard of yet and that therefore represent an as-yet unknown risk – while still allowing fun and freedom among better-trusted parts of the ecosystem.

That way, you can keep things locked down to Google Play, which is a good start, but also impose your own additional rules to keep you safe when Google doesn’t.

For your own Android device at home, why not try our Mobile Security for Android tool – it’s a free download. (Er, yes, you get it from the Play Store.)

Paul Ducklin is senior security advisor at Sophos. Read more Sophos blogs here.