Malware targetting Android is exploiting a security hole in order to take control of people's mobile devices - and Google has ruled out patching the security flaw until the next major upgrade of Android.
But after the WannaCry ransomware spread over the weekend, should Google do more to patch Android as a matter of urgency?
While Google claims that it can keep the Android devices of most users malware free simply by policing its Google Play app store, malware-ridden apps nevertheless regularly slip through.
While in Europe and the US the Google Play store is generally the only place people download apps for their Android smartphones and tablet computers, in many parts of the world the Google Play store is either not available or blocked due to local laws and regulations, or people simply prefer to side-load apps from less well-policed app stores on the internet.
The particular threat that leaves all current versions of Android wide open to malware, especially ransomware, is a simple permissioning vulnerability that has already been widely exploited by malware creators targeting Android.
The flaw was publicised last week in a research note from the Check Point Software Mobile Research Team.
According to the researchers, it is "based on Google's policy which grants extensive permissions to apps installed directly from Google Play. This flaw exposes Android users to several types of attacks, including ransomware, banking malware and adware".
Check Point reported the flaw to Google, which responded that the issue is already being dealt with - but would only be fixed in the upcoming version of Android, 'Android O', which won't be released for several months yet.
The security flaw was introduced by Google in Android 6, also called Android Marshmallow, which was released in October 2015.
"Google introduced a new permission model for apps. The new model consists of several groups of permissions, with permissions considered as 'dangerous' granted only during runtime. This means that during the first time an app tries to access a 'dangerous' resource, the user is required to approve the necessary permission.
"In addition to the 'dangerous' permissions, another category exists, which contains a single permission - SYSTEM_ALERT_WINDOW. Unlike the other permissions, to grant it the user must go through several menus and manually allow an app to use it."
This permission enables an app to display over any other app without notifying the user, which means that it has been widely adopted in an array of fraudulent ad malware, phishing scams, click-jacking, and overlay windows, common with banking Trojans.
"It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices," warns Check Point.
Its research suggests that three-quarters of Android ransomware and 14 per cent of banking malware use this permission as part of their operation.
But following WannaCry, should Android now be patching the flaw on all versions of Android as a matter of urgency, rather than as an after-thought that will only be applied to new devices when it finally gets round to releasing Android O?
Security consultant Graham Cluley thinks Google's attitude is a touch hypocritical. "Google's own vulnerability-hunting team has no qualms about highlighting the security holes in other vendors' products, and pressuring for them to be fixed quickly. It seems odd that they would be so tardy about flaws in their own software," Cluley told V3.
Dr Kevin Curran, senior member of the Institute of Electrical and Electronics Engineers (IEEE) and professor of cyber security at Ulster University, agreed.
"The newly uncovered 'dangerous' permissions flaw is a bad vulnerability indeed. It opens the door to malware installation on a range of Android devices. Google seems to be taking a chance, especially in the wake of the WannaCry attacks by delaying a roll-out to customers," Curran told V3.
Both Cluley and Curran added that patching the fragmented Android platform remains a big problem. "We know that Google has already committed to not patching bugs in versions prior to Android 4.4 no matter how bad they are. This exposes nearly a billion devices to vulnerabilities," said Curran.
He continued: "When it comes to newer Android versions we still have a major problem as the likes of Samsung, LG, HTC and others are responsible for deciding when they roll out their updates and for which handsets. This leaves consumers completely reliant on the whims of each manufacturer," said Curran.
That leaves only 'pure' Android devices like the Pixel - which Google only supports for a relatively short period of time compared to, say, the support that Microsoft provides to users of Windows - and devices like BlackBerry's Android handsets, which are updated every month directly by BlackBerry.
Indeed, said Cluley, Android's patching infrastructure is so fragmented that the vast majority of devices are simply never patched from the moment they are activated.
"The galling truth is that even after they patch this Android security flaw, the chances are that many Android users will find the patch is simply unavailable to them, because of the knotted mess that is Android's updating infrastructure," said Cluley.
Curran agreed: "Even when Google rollout an update for this latest flaw, unfortunately only a portion of users will get it. Hence, we will see more malware authors turning to Android."
V3 contacted Google for comment, specifically to ask whether it would be changing its stance on the permissions-patching issue. However, no response has been forthcoming.
Computing's IT Leaders Forum 2017 is coming on 24 May 2017. The theme this year is "Going Digital: Why your most difficult customer is your best friend".
Attendance is free, but strictly limited to IT Leaders. To find out more and to apply for your place, check out the IT Leaders Forum website.
Biggest screen ever, Qualcomm Snapdragon 835 and 6GB of RAM for forthcoming Samsung Galaxy Note 8
Windows 10 Chinese Government Edition completed by Microsoft
And even when IoT projects do get completed, one-third aren't considered a success
So, the Frontier Edition launches at the end of June, the Radeon RX Vega in July - and the Ryzen 3 straight after?