Android malware have adapted their attack models to target the permission-granting model that Google has introduced in Android 6.0 Marshmallow


Dinesh Venkatesan, Threat Analysis Engineer at Symantec, explains in this blog post that the authors of Android Trojans have adapted their attack models to target the permission-granting model that Google has introduced in Android 6.0 Marshmallow.

The model was designed to let users grant permissions only when apps require them, rather than accepting them all on installation. However, dangerous threats such as Android.Bankosy and Android.Cepsohord have adapted to this method in an attempt to gain the permissions they need to carry out their malicious activities.

Google improved the security of Android devices with the introduction of a new permission-granting model in the latest platform iteration, one designed to prompt users to grant permissions only when apps require them.

However, there is an exception to this rule: applications with the “target_sdk” attribute set to less than 23 don’t trigger the permission requesting dialogue at runtime.

Basically, if an app has the said attribute set to 22, all of the requested permissions could be granted during the app’s installation, albeit the user can manually revoke permissions for any app at any time.

Bankosy code updated to check whether a permission is granted through Marshmallow’s checkSelfPermission API

Mitigation

Symantec recommends users to follow these best practices to stay protected from mobile threats:

  • Keep your software up to date
  • Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources
  • Pay close attention to the permissions that apps request
  • Install a suitable mobile security app
  • Make frequent backups of important data

References

[embed]http://www.symantec.com/connect/blogs/android-threats-evolve-handle-marshmallow-s-new-permission-model[/embed]
[embed]http://www.symantec.com/connect/blogs/android-threats-evolve-handle-marshmallow-s-new-permission-model[/embed]
[embed]http://www.symantec.com/connect/blogs/android-threats-evolve-handle-marshmallow-s-new-permission-model[/embed]