In a post on its blog, Check Point has discovered a security flaw in Android that opens the door to ransomware, banking malware, and adware. This is no thanks to a permission category that was introduced in Android Marshmallow that was supposed to allow users to manually agree to apps requesting for permissions on the phone. According to Check Point:
“Since Google understood the problematic nature of this permission, and the apparent risks for user privacy it created the distinct process mentioned above to approve it. However, this soon caused problems, as this permission is also used by legitimate apps, such as Facebook, which requires it for its Messenger chat heads feature. Since most users won’t be able to approve the permission manually, such apps could be hurt by it.
As a temporary solution, Google applied a patch in Android version 6.0.1 that allows the Play Store app to grant run-time permissions, which are later used to grant SYSTEM_ALERT_WINDOW permission to apps installed from the app store. This means that a malicious app downloaded directly from the app store will be automatically granted this dangerous permission.”
Now the good news is that it appears that Google has already addressed this flaw in the upcoming Android O update, but the bad news is that users will have to wait until the update before it is fixed. This is unless Google decides to close flaw earlier, which we’re not sure if that will be happening. However in the meantime users are advised to just avoid any fishy-looking apps if they want to prevent their phones from being infected with malware.