One of the most common methods by which phishing malware can capture your credentials on an Android device is by letting one app overlay its screen on top of another app.
You'll think you're typing in your password into Uber, WhatsApp or a banking app, but you might really be giving it to Crazy Ivan and his gang of pimply cyberthieves. Or you might think you're playing a mobile game, but you're really pushing buttons that let one app install other apps. Or the screen will lock up with a ransomware message saying that you have to pay up to access other apps.
Yet Google, much to the chagrin of security researchers, has permitted any app downloaded from the Play Store to overlay another. (Facebook Messenger, among other legitimate apps, uses this feature for notifications.) Now, says the Israeli security firm Check Point, screen overlays will be dialed back in the next major update to the operating system, Android O.
That's a boon to everyone who uses an Android device. While it won't eliminates the phishing threat, it will make it less easy for miscreants to steal your credentials.
According to a Check Point report posted yesterday (May 9), Google tried to contain the screen-overlay threat with the release of
Android 6.0 Marshmallow, which turned off the feature by default and asked the user to authorize the feature whenever one app wanted to overlay its screen on top of another.
But that created problems with legitimate apps, such as Facebook Messenger, that use screen overlays to alert users to new messages. So with the next version of Marshmallow, Android 6.0.1, Google scaled back the security and allowed any app downloaded from the Google Play Store to overlay other apps without user authorization. (Overlays from apps that come from outside Google Play still require the user's OK.)
That's a problem, because while the vast majority of Android malware comes from "off-road" app markets, malicious apps do make it into Google Play. And thanks to the screen-overlay function, they can capture your credentials pretty easily. That message you think is coming from the app you're using may in fact be from a rogue app that is going to transmit your stolen password back to the bad guys.
When Check Point "reported" the screen-overlay issue to Google — "mentioned" might be more accurate, because this issue has been openly discussed for a few years — the tech titan responded that the issue will be dealt with in Android O, expected to roll out this fall.
The new OS will still permit screen overlays, but the overlays will lie "under" what Google dubs "critical system windows," such as the on-screen keyboard and the status bar at the top of the screen. In that way, screen overlays will theoretically be more obvious to users.
That's good news. But, as with previous Android versions, the latest letter-grade revision will take months to spread out to the cornucopia of Android devices. Google's Pixel and Nexus handsets will get the update first, likely followed by Samsung Galaxy smartphones and other flagship devices later in the year. As for the rest of the Android ecosystem, owners of those devices know to not hold their breath for their carriers to push out an update.
So what can you do now?
Aside from looking at apps in the Google Play store with a healthy amount of suspicion, you can take a couple of steps to protect your phone from malware that exploits the screen-overlay issue.
First, make sure that "Unknown sources" is unchecked in your device's security settings. That will prevent your device from downloading any software from outside the Google Play store.
Second, give your Android device the gift of antivirus software, which will stop almost all malware from installing. Our favorite paid (Bitdefender Mobile Security) and freemium (Norton Mobile Security) options both earned perfect 100-percent malware detection rates in recent independent testing.