Subscribe to our newsletters
Sign Up

The Hacker News — Cyber Security, Hacking, Technology News

Wednesday, May 10, 2017 Mohit Kumar

android-permissions-vulnerability
Millions of Android smartphones are at serious risk of "screen hijack" vulnerability that allows hackers to steal your passwords, bank details, as well as helps ransomware apps extort money from victims.

The worse thing is that Google says it won't be patched until the release of 'Android O' version, which is scheduled for release in the 3rd quarter this year.

And the worse, worse, worse thing is that millions of users are still waiting for Android N update from their device manufacturers (OEMs), which apparently means that majority of smartphone users will continue to be victimized by ransomware, adware and banking Trojans for at least next one year.

According to CheckPoint security researchers, who discovered this critical flaw, the problem originates due to a new permission called "SYSTEM_ALERT_WINDOW," which allows apps to overlap on a device's screen and top of other apps.

This is the same feature that lets Facebook Messenger floats on your screen and pops up when someone wants to chat.

Starting with Android Marshmallow (version 6), launched in October 2015, Google updated its policy that by default grants this extremely sensitive permission to all applications directly installed from the official Google Play Store.

This feature that lets malicious apps hijack a device's screen is one of the most widely exploited methods used by cyber criminals and hackers to trick unwitting Android users into falling victims for malware and phishing scams.
"According to our findings, 74 percent of ransomware, 57 percent of adware, and 14 percent of banker malware abuse this permission as part of their operation. This is clearly not a minor threat, but an actual tactic used in the wild," CheckPoint researchers notes.
Google has been using an automated malware scanner called Bouncer to find malicious apps and prevent them from entering the Google Play Store.

Unfortunately, it’s a known fact that Google Bouncer is not enough to keep all malware out of the market and our readers who are following regular security updates better aware of frequent headlines like, "ransomware apps found on play store," "hundreds of apps infected with adware targeting play store users."

Recently, researchers uncovered several Android apps available on Play Store carrying the 'BankBot banking trojan,' which abused the SYSTEM_ALERT_WINDOW permission to display overlays identical to each targeted bank app's login pages and steal victims' banking passwords.

This means that still, an unknown number of malicious apps are out there on Google Play Store equipped with this dangerous permission, which could threaten the security of millions of Android users.
“After Check Point reported this flaw, Google responded it has already set plans to protect users against this threat in the upcoming version “Android O.”
“This will be done by creating a new restrictive permission called TYPE_APPLICATION_OVERLAY, which blocks windows from being positioned above any critical system windows, allowing users to access settings and block an app from displaying alert windows.”
Meanwhile, users are recommended to beware of fishy apps, even when downloading from Google Play Store.

Moreover, try to stick to the trusted brands only and always look at the comments left by other users.

Always verify app permissions before installing apps and grant only those permissions which have relevant context for the app's purpose if you want to be safe.

Monday, August 17, 2015 Khyati Jain

"Android M will be Muffin?, or Mango shake?, Milkshake?, Malt ball?, Moon Pie?, Macaroon?, or is it Mars?, Marshmallow?"...

…this was the guessing game that occupied most of us when Google created a suspense three months ago, at the launch of the Android M Developer Preview at Google I/O in May.

Much awaited Android M is named as 'Marshmallow'; it is the thirteenth Google's Android operating system. Google revealed the 'Marshmallow' by following its ritual of keeping the statue of Android robot with a Marshmallow in his hand.

Google has maintained its tradition of naming the dominant mobile Android operating system by the names of sugary delights, starting from:
  • Cupcake
  • Donut
  • Eclair
  • Froyo
  • Gingerbread
  • Honeycomb
  • Ice Cream Sandwich
  • Jelly Bean
  • KitKat
  • Lollipop

Official Android 6.0 SDK Available for Download


After the final Developer Preview, the official Android 6.0 Software Developer Toolkit (SDK) is now available for download from the Android Studio.

With this Google also opened the gates of Google Play for publishing apps that target the new API level 23 in Android Marshmallow. Developers aiming to develop or update applications for Android can now download the software development kit.

What Makes Android Marshmallow more Secure than old Android Versions


  • Strong Security Mechanism and APIs
  • Support for Fingerprint Sensors
  • Includes Power Saving Mode called Doze
  • Rationalized Permission Model

Marshmallow defines the Android operating system in a new way altogether, as it comes with strong security mechanisms and Application Programming Interfaces (APIs), absolutely one of its kind.

It includes native support for fingerprint sensors, allowing the authentication method to be used for Google Play Store and Android Pay services, thus increasing the security of the device.

There's also an API that helps developers make use of fingerprint sensors to build their apps.

The Previous Android version 5.1.1 Lollipop had some security and issues, therefore the current Android version 6.0 will provide with an updated power-saving mode called 'Doze' capable of reducing background activity when the mobile device is not being held.

Marshmallow also rationalizes the "Permissions model" for users to install and upgrade apps.

Many of us might not be paying any attention to the app permissions while installing an app. However, with Android Marshmallow, you may want to check what it used to be.

Users when installing or upgrading apps need not grant any permissions. Instead, an app requests permissions from the user as and when it needs them.

Android Marshmallow streamlines the app install and update process. By increasing user flexibility, Marshmallow makes sure that an app behaves as expected even after disabling a specific app permission.

If an Android app supports the new permission model, it can still be installed and run on smartphone devices running older versions of Android operating system using the old permissions model on those devices.
"The Android emulator system images and developer preview system images have been upgraded for supported Nexus devices [which include Nexus 5, Nexus 6, Nexus 9 & Nexus Player] to help with your testing," reads the official Android blog.

"Although the Android 6.0 SDK is final, the devices system images are still developer preview versions. The preview images are near final, but they are not intended for consumer use."
For the consumers to experience the taste of Marshmallow, they have to wait till its availability in the Q3 2015.

Thursday, May 07, 2015 Mohit Kumar

android-m-6-update
While majority of smartphone users are waiting for Android 5.0 Lollipop update for their devices, Google is soon going to launch the next version of Android at its official Google I/O 2015 developer event May 28 in San Francisco.

Android M — The name of the latest version of Android mobile operating system was spotted at the Google I/O 2015 schedule under the "Android for Work Update" Session, which says…
"Android M is bringing the power of Android to all kinds of workplaces."
According to the company, this will open up "huge new markets for hundreds of Millions of devices to workers at small businesses, logistics, deskless workers, and warehousing jobs."

However, Google appears to have since removed any mention of Android M from Google's I/O website, most probably the company wants to keep it as a surprise for Android users.

Considering the full Android releases with starting letters in alphabetical order, — Android M — strongly believes to be the next version of the Android operating system.

When the Google launched Android 5.0 at its developer conference last year, it was known by the name "Android L" before the company revealed its final name "Lollipop" months later.

Some More highlights:


The schedule also includes another session "Voice Access" known as "Your app, now available hands-free," which suggests that Google wants its users to control every feature of Android apps by their own Voice Command.
As the Voice Access session says, "In this talk, we introduce Voice Access, a service that gives anyone access to their Android device through voice alone."
The main highlights of the Google I/O schedule are yet Android M, which will eventually get some sweet sugary name too like all the previous versions of Android OS.

Till then, What do you think the "M" will stand for? Will it be Mousse, Muffin, or something else?

Hit the comments below.

Newsletter Subscription

Subscribe to our newsletter and get all latest hacking news, free eBooks delivered to your inbox.

Join Over 450,000 Subscribers!