back to article Android O-mg. Google won't kill screen hijack nasties on Android 6, 7 until the summer

Nearly 40 per cent of Android users are vulnerable to a security design flaw that Google won't fix until the next major revision of the mobile operating system. The cockup is a strange one, and was spotted by researchers. It affects Android 6.0.1 (aka Marshmallow) phones and above, which according to the official Android …

  1. tedleaf

    What,,a major flaw security flaw in android and playstore !!!

    Never..

    Google take months to tackle a major problem ,,who would believe it..

    1. Anonymous Coward
      Anonymous Coward

      I think you have reading and comprehension problems....

      Might want to read AND UNDERSTAND the "article". This isn't a flaw, it's by design, and due to external pressure from companies that were using(abusing) the functionality in the past and then threw their toys out the pram when told not to overlay ontop of other apps. As a grade period, they were told to sort their crap out, and granted a stay of execution as long as they were publishing on the play store. Apps in the wild were outlawed from overdrawing on the UI period.

      Seems Google did something reasonable here, as there is no proof that any apps on the Google Play store are abusing their power, and Checkpoint are (yet again) making themselves look like they are the security gutter-press, desperate to publish anything, regardless of how lame, and how damaging it is to their reputation. (I would never trust checkpoint, purely based on nonsense like this, they clearly can't differentiate between REAL threats and FAKE News)

      1. Jeffrey Nonken Silver badge

        I'm sorry, but a flaw in design is still a flaw. Nothing he said contradicts the article.

        1. Anonymous Coward
          Anonymous Coward

          What flaw in design? This was 100% Facebook pressure that curves Google to adopt a halfway short-term measure rather than just shutting the door outright....

    2. Simon Taylor 1

      Not a Google problem. With every app you install, you are asked to grant the permissions. Some people are so stupid that they do not read the screen and simply grant everything. You can also install the app, then deny it permission to a particular permission.

      How is Google supposed to fix people who don't protect themselves? I can see only 3 possibilities.

      1. Grant the permission without any user approval - yeh, right.

      2. Take the permission away altogether.

      3. Somehow educate people that apps asking for permission is an important thing to take notice of.

      Which would you prefer?

  2. frank ly Silver badge

    I'm an Android user

    "The first time the app tries to pop open an overlay, and SYSTEM_ALERT_WINDOW permission isn't granted, you'll be asked if you're OK with the intrusion. .....

    .....Users wouldn't or didn't know how to enable access so the application wouldn't work properly."

    Am I really that stupid?

    1. big_D Silver badge

      Re: I'm an Android user

      You? Probably not. 95% of Android users? Absolutely.

      1. HollyHopDrive

        Re: I'm an Android user

        @big_D a bit harsh...but anybody stupid enough to let Facebook apps on their phones are certainly in that category.

        Bit of a Schoolboy error on Google's part. Especially when you consider when apple says no to something everybody just says that's the apple walled garden and deal with/put up with it, but Google didn't take the same stance and in this instance should have.

        I'm a massive android fan but this has face palm all over it.

        1. big_D Silver badge

          Re: I'm an Android user

          I have to configure about half a dozen Android devices every week, because the users don't know how to set them up themselves - they can't even follow the on screen prompts for setting up their email account.

          Outside the office, I am constantly being asked why so and so dialog has appeared, what does it mean, must the user do something. Generally, I just need to look at the explanatory text displayed on the screen and react to it...

    2. Brewster's Angle Grinder Silver badge

      Re: I'm an Android user

      "Am I really that stupid?"

      I've had users press the button that says, "Get my position from GPS" and then refuse the GPS permission dialog that Android pops up.

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm an Android user

        That is because the user does not see the connection between his action and the dialog box that subsequently shows up, and the reason he doesn't is a reflection of poor interface design combined with really low user trust in the whole online business.

        Fix the interface to reflect the reality, which is that most users have very low levels of trust in their phones and reflexively say 'No' to anything that looks like a warning of adverse consequences. The fix is : This Action will enable Geo-whatever. Is this what you want?" No (default) / Yes (please proceed).

        Stop blaming the users. Think your elderly mother, if you wish. Or your grandkids.

        1. Brewster's Angle Grinder Silver badge

          Re: I'm an Android user

          "That is because the user does not see the connection between his action and the dialog box that subsequently shows up"

          The whole thing was designed very carefully over several iterations to minimise this problem. The button was put in place so the OS prompt was always user initiated. It was put on a screen showing the default position on a map with nothing else to distract the user. There was a sentence explaining why we needed the position and what the consequences of refusing would be. The button used the same phraseology as the OS. And 99.9% of users managed fine. There was just this residual who couldn't manage it.

          But, yes, at least some of them seemed to think they grant permission by pressing our button and see the Android dialog as something separate. So they didn't see the connection.

          1. anonymous boring coward Silver badge

            Re: I'm an Android user

            If you failed to inform the user that a subsequent permission dialog will be popping up, related to your app, then it's your own fault for making poor design choices. The user is quite right in being suspicious and saying no to almost everything.

  3. Baldrickk Silver badge

    Most users...

    "Since most users won’t be able to approve the permission manually, such apps could be hurt by it."

    Most users should be able to follow some simple instructions on what to do, just tell them how to enable it in your app if you want to use that feature.

    It's not like the android settings menu is as complex as say, the Windows Registry.

    Heck, my file browser uses this method to tell the user how to enable SD card access, so it's not like it's not been done before.

    Oh, and that facebook messenger 'bubble'? It can go die in a fire. I won't let facebook's apps anywhere near my phone, but on other's phones who use it, it is constantly covering useful bits of other apps which are, funnilly enough, not designed to have a chunk of their UI hidden.

    Of course you can move it, but then it is hiding something else, if not in that app, in another.

    Intrusive crud.

    1. Charles 9 Silver badge

      Re: Most users...

      You overestimate the intelligence of the average Android user. Think VTR clocks even in the age of clock signals on the telly, and they can't even do THAT right half the time. Yes, sometimes even a few simply touches is beyond them.

      1. jMcPhee

        Re: Most users...

        <<You overestimate the intelligence of the average Android user>>

        True... back in the day, many of them had 12:00 flashing on their VCR's

      2. Sorry that handle is already taken. Silver badge

        Re: Most users...

        You overestimate the intelligence of the average Android user.

        Is there something about Android users that makes them dumber than users of other mobile OSes?

        1. Brenda McViking
          Trollface

          Re: Most users...

          Having an android is just like owning a swiss army knife. If you're dumb, you'll end up slicing your fingers off. If you're a normal user, there are a tonne of features that you'll never use, and if you're a power user, then it's the only option.

          iOS on the otherhand is like owning a safety cutter. It's brightly coloured, can be safely operated by a child, is unlikely to hurt you but is fairly useless for anything other than what the designers envisioned it to be used for.

          And then there is Windows phone which is just the brain-damaged love-child of the above.

    2. Field Commander A9

      Re: Most users...

      "just tell them how to enable it in your app if you want to use that feature"

      There're about just slightly more than a million Android "Distros" out there each with a ever slightly different UI logic&design&layout, so good luck getting your user to find that option they needed,

  4. The Brave Sir Robin

    They'll fix it, but users won't get it

    The big problem with Android still exists. Users of anything other than brand new models will never get the updated Android with security fixes. Once you've paid your cash, phone manufacturers don't give a crap any more. People's only option is to flash a 3rd party Android on their phone, something which the average Joe won't have the skills for.

    Google really need fix the problem of users being left out in the cold.

    1. BebopWeBop Silver badge

      Re: They'll fix it, but users won't get it

      Well to be fair, the odd diehard (such as Wiley Fox) are doing their best to update phones.

      1. JimmyPage Silver badge
        FAIL

        odd diehard (such as Wiley Fox) are doing their best to update phones.

        And then break them.

        Last Android update (to Nougat) has borked so many of my apps it would have been quicker to buy a new phone.

        Some borks were really subtle too, like the Bluetooth stack - my phone stopped pairing with my car. First I knew of it was when the phone rang

        1. fuzzie

          Re: odd diehard (such as Wiley Fox) are doing their best to update phones.

          Sadly, this off- and on-against fsck'ing with the Bluetooth stack has been an ongoing PITA since Android 4.3 (maybe even marginally) earlier. Even between minor updates behaviour would flip-flop from working to/from no-working. I'd love to get myself Bluetooth handsfree et al for my car, but really aren't keen on the crapshoot of now-it-works-now-it-doesn't.

    2. Charlie Clark Silver badge
      Stop

      Re: They'll fix it, but users won't get it

      Google really need fix the problem of users being left out in the cold.

      Wrong, I'm afraid. The manufacturers need to be forced by the courts to do this: Google has no obligations whatsoever to individual consumers.

      1. VinceH Silver badge

        Re: They'll fix it, but users won't get it

        "> Google really need fix the problem of users being left out in the cold.

        Wrong, I'm afraid. The manufacturers need to be forced by the courts to do this: Google has no obligations whatsoever to individual consumers."

        Ordinarily, I'd agree - but in this case Google are exacerbating the problem by choosing not to address it until the next major version. That's just so incredibly... well, Google, actually.

        1. Patched Out
          Trollface

          Re: They'll fix it, but users won't get it

          Just get an older Android phone for which updates are no longer being provided. Problem solved!

    3. Anonymous Coward
      Anonymous Coward

      Re: They'll fix it, but users won't get it

      They'll fix it, but users won't get it

      False. It's managed by play service and play store, so EVERYONE will get it, and get it pretty soon after Google toggles the switch.

      Your failure to grasp this, suggests you have no understanding the differences between Android, Google Play Services.

    4. Anonymous Coward
      Anonymous Coward

      Re: They'll fix it, but users won't get it

      "Users of anything other than brand new models will never get the updated Android with security fixes. "

      Untrue. Google have been moving parts into updatable modules via play services. BoringSSL is a serviceable Google play module, as is much of the media playback library. All android devices get these updates.

      Most phones get reasonable patching, my wife's 18 month old Samsung S3 got March 2017 update.

      What the real agenda is, is purple are hoping to get full version android upgrades on old devices, that's simply not going to happen, even apple don't do that (not even after aging apple premiums), they pretend they do with feature lite pretend updates, that have the correct number but missing key features

  5. Dan 55 Silver badge

    Everybody will have to upgrade to Android O

    This is crap (what Google are doing, not the article).

    Google care more about the potential lost ad revenue from (malware) apps running on outdated versions of Android than backporting a dialog with allow/deny buttons the first time overpaint is used or whatever it is they're going to do in Android O.

    The fix would eventually arrive on many phones, more phones than Android O will.

    1. Eddy Ito Silver badge

      Re: Everybody will have to upgrade to Android O

      It's less backporting since Lollipop and previous already have this. It's more fixing the cockup of implementing a feature they made allowed by default in Marshmallow & Nougat. To me it's bullshit feature because isn't this exactly what notifications is for?

  6. Planty Bronze badge
    FAIL

    In short

    Google were forced to compromise, and now only non store apps are forced to comply, app store supplied apps have a free pass and now there might be a possibility they may may miss something on the store.

    Slow news day? Checkpoint really are desperate...

    1. sabroni Silver badge
      Thumb Up

      Re: In short

      The Google Planty strikes again.

      No, of course it's not news. Google just enabled the play store to grant permissions for apps so I don't have to approve them at install time. Saves me a whole load of time reading permissions screens and trying to understand them.

      Thanks Google, I trust you implicitly with the security of my device. If you think an app should be granted some permissions on my phone then that's good enough for me!

  7. Aqua Marina Silver badge

    I'm seeing something like this regularly on my iphone in Safari. A pop up fills the window, and cannot be shut down unless I click the button being offerred that will "let me speak to a microsoft technician who will remove the malware from my PC". The image seems to be perfectly sized so that I cannot scroll up or down to get to the control bars at the top or bottom. If I kill safari, then once I start it back up, the last page viewed is shown, and blam, I'm back to the same screen. To get around it I have to kill safari, then go into the settings and erase the safari history.

    1. Robert Carnegie Silver badge

      Safari problem

      That Safari thing sounds like what was described here - in July 2015 - and elsewhere.

      http://www.tomsguide.com/us/stop-ios-crash-popup-scam,news-21354.html

      You seem to be on top of it, up to a point. Stated preventions include disabling popups in Safari and/or disabling JavaScript. I'd also suggest "don't use web sites that do this" and maybe "press the Escape key or Ctrl Alt Delete" :-)

      If it's in advertisements in web pages - if you have narrow interests, you may get the same advertisement over and over again, and this is the one......

      So the remedy is to use Facebook...... then the internet knows everything about you......

      Or block the ads? All the cool kids are doing this.

    2. Anonymous Coward
      Anonymous Coward

      ransome ware pop ups on iOS safari

      I have seen one or two of these on, er, "special Interest" sites. A little distressing at first, then just plain annoying once you know how to clear it.

    3. Packet

      Can't you just close the tab? my understanding is that js doesnt take over the entire ui - leaving access to tabs available.

      (tap the bottom / top of the device to get the tabs bar to show up)

  8. Tony W

    Permission system is not much use as anti-malware

    If the user has installed an apparently useful app, then they will probably also give it permissions. So having to click to give a permission is probably no safeguard at all to the average user.

    The fundamental problem is installing the malware, not giving it the permissions. Many legitimate apps need permissions that would be very dangerous if the app were malware (starting with virtually all of Google's own apps.) This permission would seem reasonable for any app that gives "important" notifications, so most people would just grant it.

    Having said that, of course Google was still wrong to deliberately bypass their own permissions system, specifically in order to allow an app to behave very intrusively. And more wrong to withhold the remedy from most existing users.

  9. Named coward

    Android O

    "Android O, which will most likely be out this summer or autumn"

    and on most "newish" devices sometime next year...and on slightly older devices...HAHAHA

    And things like cyanogen don't count. If the users are unable to manually grant a permission they are also unable to install an alternate OS.

  10. Anonymous Coward
    Anonymous Coward

    By "Fix"

    do they mean modify so only chocolate factory approved adverts are allowed to pop over your display?

  11. Hans Neeson-Bumpsadese Silver badge

    The one thing saving you is to [...] rely on Google policing it properly to remove crappy apps

    I just laughed so hard I think a bit of wee came out

  12. noboard
    Coat

    I can't beleive you people

    I for one am glad Google are putting the needs of facebook before my security, it's the only sane choice.

  13. Gio Ciampa

    Poor coding by Facebook - abetted by Google?

    I run a number of apps on my (rooted LineageOS-powered) phone that ask very nicely when they want you to grant a certain permission - explaining why it's required before you go anywhere near the settings screens...

    ...if a one-man outfit can put in the effort to do this ... (to borrow from Clarkson) how hard can it be...?

    Shame on Facebook for the sheer laziness (and bloodymindedness) in not getting this sorted out - and Google for letting them get away with it...

    (I always turned chat heads off anyway - a simple notification was sufficient for me... and then I dumped the official apps entirely for the likes of Folio and Friendly that just act as wrappers around the mobile web site - 95% of the functionality, and 95% saved space not installing things I never need)

  14. RyokuMas Silver badge
    FAIL

    "Google has told Check Point that the issue will be fixed in Android O, which will most likely be out this summer or autumn."

    Probably busy working on their new OS that doesn't rely on a non-google-controlled kernel...

  15. Andrew Jones 2

    It is worth pointing out though - that key parts of the OS can't be hijacked with this method. Ask anyone who runs a full screen overlay like Twilight. You can't for instance tap the Install button, or factory reset the device, or approve a new device administrator app while Android thinks that an overlay might be trying to trick you.

  16. caffeine addict Silver badge

    I'm sorry...?

    Are we not going to discuss that image on the front page? WTF is she doing? It looks like she's about to taste some freshly bonfire-roasted horse shit.

    1. OrneryRedGuy
      Holmes

      Roasted marshmallows

      She's about to eat completely burnt-up nasty roasted marshmallows, getting a mouthful of bitter char instead of the sweet treat she expected. Much like users of Android Marshmallow, we are to infer.

      Do I get any points for explaining the joke?

      1. adnim Silver badge
        Facepalm

        Re: Roasted marshmallows

        Why did I think they were her ex-boyfriends testicles?

        1. OrneryRedGuy

          Re: Roasted marshmallows

          That's between you and your obviously very guilty conscience. Unless you fall victim to this flaw, in which case we all might find out.

    2. MrT

      For a clearer view...

      ... go to the image's regmedia link and remove the crop and size tags:

      https://regmedia.co.uk/2017/05/09/marshmallow_shutterstock.jpg

      Marshmallows cooked by the Chef from South Park, maybe?

  17. Boohoo4u

    The only pop ups I get are for things in my calendar, but then I only use the Apple App Store.

    : p

    Have fun navigating the Android mine field.

  18. PaulR79
    FAIL

    Taking permissions away is bad

    "However, this soon caused problems, as this permission is also used by legitimate apps, such as Facebook, which requires it for its Messenger chat heads feature. Since most users won’t be able to approve the permission manually, such apps could be hurt by it."

    I'm sorry but I fail to see the loss here. Here's a thought. If it was impacted they could update their app so it can see if the permission is granted and if it isn't then it points the user to a page where they can read how to give it permission. Instead we've got one door wide open for a few apps that were abusing the feature to begin with.

    As someone that uses Google stuff a lot I'm amazed at how short-sighted this 'solution' is to the problem. I'm annoyed that they are seemingly fine with this being left alone until the next version. I couldn't care less if this wiped Facebore off the face of the planet but clearly a bunch of people having to pull down a notification shade to chat is more problematic than a gaping hole in your OS.

    I have a solution. Tell Facebore et al to go die in a hole, release patches where possible and promptly give access to documentation on permissions and what they mean. I've thought for a long time now that every app should clearly explain why it needs each permission before you grant it access at install time. Those who get caught by bad malware and scams will ignore it and click accept as they always do (and suffer for it) but everyone else gets to see what they are allowing apps to do. I'd also make it clear that any app update must come with a changelog and not just "Bug fixes and performance improvements".

  19. Jim Birch

    Another psychotic discussion thread.

    Take your pick, people:

    1. A fully locked down environment.

    2. An open environment where safety requires good IT security skills that are regularly updated.

    3. Something in the middle.

    What I want to know s this: Are the same voices that bitch about the lockdown the same people who bitch about security weaknesses?

    Empirically we know what happens when the system allows users to give away their security to achieve better application functionality. I can tell you where the model is headed as it matures. Operating systems used by the masses get increasingly locked down. App store policing increases. Eventually we end up with a phone/tablet/computer that won't allow an idiot to circumvent its security. Or at least, make it very difficult.

    And the invincible space cadets will continue to complain for a long time because they have to.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019