Google tinkers with Android O to foil ransomware


In Android, apps aren’t supposed to be able to interfere with the normal behavior of other apps or the device itself. But ransomware is notorious for taking over other apps and encrypting data, and it can even block the uninstall command. It’s been a long-standing problem for Google’s Android mobile operating system.

“Ransomware does everything opposite of what the Android security model says apps should do,” says Android security team malware analyst Elena Kovakina. Google is tackling the ransomware problem on Android by beefing up app protections, deprecating certain APIs, and removing functionality, she says. Google has made antimalware improvements in the current Android Nougat, and more are slated for the forthcoming .

Ransomware isn’t as big of a threat on mobile devices as it has been on the desktop, but it does exist. Kovakina notes that Google tracked 30 Android ransomware families in the wild and collected 50,000 samples to learn how the malware behaved, what kind of API calls it abused, and what operating system processes it targeted.

Android ransomware variants tend to target older operating system versions; Cyber.Police, for example, exploited Android Ice Cream Sandwich, Jelly Bean, and KitKat devices a year ago. The malware locked up the devices’ home screens and demanded Apple iTunes gift cards in exchange for the decryption key to unlock the phones.

was released March 21, and the API is “getting a complete overhaul,” Kovakina says.

To control what kind of windows can be displayed above other apps, apps using the O SDK will no longer be allowed to use the window types TYPE_PHONE, TYPE_PRIORITY_PHONE, TYPE_SYSTEM_ALERT, TYPE_SYSTEM_OVERLAY, or TYPE_SYSTEM_ERROR. Instead, developers will have to use the new window type TYPE_APPLICATION_OVERLAY. Apps using older SDK versions can still use those window types, but their windows will be z-ordered below the new TYPE_APPLICATION_OVERLAY windows. An ongoing low-priority notification is displayed in the window for all apps using the SYSTEM_ALERT_WINDOW permission, regardless of whether it’s using the new window type or one of the older ones. 

All alert windows will be z-ordered below critical system windows like the lockscreen or the status bar. This means users will always be able to switch away from the alert windows.

Google will keep tinkering

There is a bit of a cat-and-mouse game being played. Many of the system improvements seen in latest versions of Android were inspired by a type of malware that successfully executed on a device. Malware creators will look for new tricks as Google addresses their current ones.

Google’s aim is to make it more difficult and costlier for attackers to build mobile malware. Kovakina acknowledges that users don’t always have the latest version, which is why Google has beefed up its Verify Apps tool’s ability to detect ransomware in the Google Play Store. Instead of warning of ransomware, Verify Apps now blocks suspected ransomware apps.