The first developer preview of Google’s latest mobile operating system, Android O, has been released. As usual, the newest version of Android has several new features and updates. One of those updates has a direct impact on many Android ransomware threats.
Android ransomware using system-type windows will no longer work on devices running Google’s latest mobile operating system, even if the relevant permission has been granted by the device’s user.
Android O has deprecated the following window types:
- TYPE_SYSTEM_ALERT
- TYPE_SYSTEM_ERROR
- TYPE_SYSTEM_OVERLAY
In Android O, even if the malware draws the TYPE_SYSTEM window, the user can pull down the system settings from the top of the screen and “TURN OFF” the app causing the trouble (see image).
Figure. Android O allows users to “TURN OFF” troublesome apps
As discussed in an earlier blog surrounding the release of Android Marshmallow (6.0), one of the most common techniques used by Android ransomware is to draw a system-level window using one of the previously listed window types. This makes it so that the locked screen appears on top of all other windows on the device, effectively rendering the device unusable until the ransom is paid. This ability, when combined with auto start functionalities backed by a background service responsible for monitoring the malware’s sustained execution, has been a problem for Android users.
In past releases, Android restricted rogue applications using this functionality by moving the permission required to draw such windows, “SYSTEM_ALERT_WINDOW”, to the “above dangerous” category. While this move made it difficult for malware to obtain the permission, there were backward compatibility escape routes available as the new dynamic permission model was enforced only if the app was targeting Android Marshmallow and above. Only certain OEMs moved this permission to the “above dangerous” category and did not grant it by default even when the apps were not targeted to run on Android Marshmallow.
The move by Android O to deprecate certain system-type windows makes it much more difficult for some ransomware to function.
Android O is set to make life more difficult for ransomware authors as Google continues to improve its mobile operating system, continuously building on previous security enhancements. The changes implemented in Android O will deal a significant blow to Android ransomware. However, not all devices will receive the latest Android update and those stuck on older versions will remain at risk from ransomware using the tactics mentioned in this blog.
It should also be noted that while the new OS features should prove to be a good defense against ransomware variants that use system alert windows, they will not affect other ransomware threats such as those that constantly pop up the lock screen using user level windows.
Mitigation
Symantec recommends users follow these best practices to stay protected from mobile threats:
- Keep your software up to date
- Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources
- Pay close attention to the permissions requested by apps
- Install a suitable mobile security app, such as Norton, to protect your device and data
- Make frequent backups of important data