Huge Android flaw leaves users wide open to malware – and it won't be fixed for months

A security vulnerability in the Android operating system (OS) that lets malicious applications hijack a device's screen has reportedly left nearly 40% of users vulnerable to ransomware, banking malware and adware – but Google says it won't be fixed for months.

The flaw was found in a core security mechanism of Android 6.0.0 (Marshmallow) and above, which based on official statistics is 38.3% of devices. Google has confirmed it is aware of the issue but says the bug won't be resolved until the release of 'Android O' in Q3 2017.

According to experts at cybersecurity firm Check Point, the problem persists due to a Google policy which grants certain permissions to applications directly installed from the official Play Store.

The faulty model – "SYSTEM_ALERT_WINDOW" – allows apps to "overlap" on a device's screen.

This, as the researchers noted in a blog post this week (9 May), is one key method used by hackers and cybercriminals to trick unwitting Android users into falling for malware and phishing scams that can result in ransomware, banking Trojans and adware.

Check Point said over 70% of ransomware (malware that locks down a system until money is paid to the hacker), over 50% of adware and roughly 15% banking malware spreads by exploiting this type of permission. "This is clearly not a minor threat," experts said.

In a previous temporary fix, Google unveiled a patch for Android 6.0.1 that allowed the Play Store application itself to have enhanced control over permissions, but it seemingly backfired. If a malicious app was downloaded from Play it would be "automatically granted" the permission.

The experts said: "Since Google understood the problematic nature of this permission it created the distinct process to approve it. This soon caused problems, as this permission is also used by legitimate apps, such as Facebook, which requires it for its Messenger chat."

While Google currently uses a system known as 'Bouncer' to automatically scan applications in an attempt to fend off those containing viruses, some can still slip through the cracks. Recently, uncovered strains have included 'BankBot' and 'FalseGuide'.

"Beware of fishy apps," the researchers warned, adding: "Users should always beware of malicious apps, even when downloading from Google Play. Look at the comments left by other users, and only grant permissions which have relevant context for the app's purpose."

According to Android Police, a technology website, the Android 'O' developer preview will include four releases in advance of the final build, currently set to hit the app stores in Q3. An exact date has not been announced, but we recently got a glimpse of Google's new Fuchsia OS.