Google has removed a feature of the Android operating system that has been used in the past in ransomware attacks.
Starting with Android O (8.0), set to be released in the fall of 2017, Google plans to deprecate the following window types: TYPE_SYSTEM_ALERT, TYPE_SYSTEM_ERROR, and TYPE_SYSTEM_OVERLAY.
These are special “system” windows that are shown above any app on the user’s screen. As you’d imagine, this is highly valued realty for ransomware developers, who often aim to obtain permissions to show content via these windows.
Once they manage to obtain such permission, they use these windows to block the user’s access to the rest of his phone and show ransom notes.
Google’s anti-ransomware efforts sabotaged by OEMs
Starting with Android Marshmallow (6.0), Google reclassified the permissions of these system windows to the “Above dangerous” class.
Previously, Android had only two permission classes: Normal and Dangerous. The difference between the two is that the Android OS itself can grant apps access to Normal permissions (adjusting timezone, access mundane sensors, etc.), while the user has to grant access to Dangerous permissions himself.
For Above Dangerous permissions, requesting apps can provide instructions and the user has to go to an Android settings section, on his own, to grant access to the SYSTEM_ALERT_WINDOW permission, similar to how permissions are granted for Accessibility features and Device Administrators, also two other features often abused by ransomware.
Dinesh Venkatesan, Principal Threat Analysis Engineer, says this didn’t actually stop Android malware and ransomware authors, who just found various workarounds to get that permission.
It also didn’t help that certain Android phone manufacturers didn’t move this permission in the Above Dangerous category in their modified Android distributions, nullifying Google’s work.
Google adds button to shut down abuse apps
Now, with Android O, for which Google released a developer preview at the end of March, Google has taken this choice away from OEMs and has deprecated three types of system windows often used by ransomware authors. This means ransomware authors will need to find new ways of showing ransom notes and locking users’ screens.
And to make things even safer, Google is now allowing users to shut down apps that show other types of system windows.
Starting with Android O, when ransomware or other malware attempts to lock users via a system window, the user can pull down the Notifications panel and shut down the app that’s locking him out of his phone.
“It should also be noted that while the new OS features should prove to be a good defense against ransomware variants that use system alert windows, they will not affect other ransomware threats such as those that constantly pop up the lock screen using user level windows,” Venkatesan pointed out.
Nonetheless, despite these improvements, Google’s own Android Security Report showed that malware devs usually target older versions of the Android OS, where these improvements aren’t supported. It also helps that there are more devices running Android 4.x and 5.x, less secure Android versions, compared with 6.x and 7.x, meaning malware devs don’t have to go through all the trouble to bypass Google’s new security features to make profits. So for the time being, ransomware is going to remain a problem on Android, but most likely for users of older OS versions.
Last year, with the release of Android Nougat (7.0), Google also added anti-ransomware improvements, by restricting the ability of malware to “programmatically” change device PINs and passwords.