Published on June 1st, 2016 📆 | 3180 Views ⚑


Android 6.0 Marshmallow permission-granting model is under attack

Powered by iSpeech

Malware researchers are warning Android’s latest permission-granting model in version 6.0 Marshmallow is now been targeted by Mobile malware authors.

Android’s latest permission-granting model in version 6.0 Marshmallow is now been targeted by Mobile malware authors. The model  will let users grant permissions only when it is required by the app, rather be accepting all on installation. Threats such as Android.Bankosy and Android.Cepsohord has already adopted this method in order to gain the permissions required by them to carry out malicious activities.

Prompting for permissions at runtime

In Mobile phones running on Android 6.0 Marshmallow, apps request permissions that could pose a privacy risk at runtime, as and when they’re are required, instead of prompting the user for all of them at installation time.

If the app malware author forcefully sets the “target_sdk” attribute of an app to 22 in place of 23 to avoid requesting permissions at runtime, a user then can grant all requested permission at the time of app’s installation, but the users can also manually revoke permissions from any app, irrespective of the “target_sdk” values on devices running Marshmallow.

Since Marshmallow’s market share is increasing and users are now learning to manually revoke permission. Authors of malware families such as Android.Bankosy and Android.Cepsohord has now started porting their code to handle the current Android runtime permission model.

Handling of Marshmallow’s new permission model by Bankosy and Cepsohord Malware.

Android.Bankosy is a well known Financial Trojan which partially works with the new model by checking whether a permission

is in a non-revoked state before execution of the malicious code. On the other hand, the Bankosy malware calls a special service

code (*21*[DESTINATION NUMBER]#) in order to enable unconditional call forwarding on the compromised device. This feature is needed by the attacker to help it conduct fraudulent transactions using the target’s information,

By using Marshmallow’s checkSelfPermission API the Bankosy’s authors updated the malware code to check whether the permission to call this number has been granted or not.

View post on

On the other hand, Click-fraud malware Cepsohord takes a step ahead and fully handles the new permission model. It not only checks the permission’s authorization state but also prompts the user to authorize the permission in case it is in a revoked state.

[adsense size='1']

Future of Android Malware.

Previously seen android Threats has the capability to update themselves so that they can survive new security measure on Google’s mobile operation system. Also, it can do powerful social engineering, taking advantage of user lack of privacy awareness.


Symantec Engineer’s recommends users to Keep your software up to date, Refrain from downloading apps from unfamiliar sites, only install apps from trusted sources, Pay close attention to the permissions that apps request, Install a suitable mobile security app to protect your device and data, and Make frequent backups of important data stay protected from mobile threats.

Reference : 

Leave a Reply

Your email address will not be published.