How the SYSTEM_ALERT_WINDOW permission has been abused over the years by malware creators?

Chat Bubbles aka Chat Heads is a user interface element initially introduced by Facebook Messenger back in December 2012. This feature allowed Android and iOS users to chat with multiple persons while using other apps at the same time. The simplicity was the foundation on which the popularity and likeliness of chat heads relied upon.

Chat Head when message is received in Facebook Messenger — Image Credits: Zeeshan rasool Chat Head when message is received in Facebook Messenger — Image Credits: Zeeshan rasool

But this simplicity came with a price. The chat heads feature in Android apps required its users to grant the SYSTEM_ALERT_WINDOW permission. Introduced in the beginning since Android API Level 1, this permission is very powerful and at the same time dangerous to users.

The reason is the extensive capability this permission holds, by enabling an app to display over any other app without notifying the user. This entails a significant potential for several malicious techniques, such as displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans. It has also been used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices.

Facebook Messenger’s chat heads used the ability to overlay and draw bubbles over other apps and Android OS with the SYSTEM_ALERT_WINDOW permission. The popularity of chat heads encouraged other Android developers to use them in their apps for different purposes. Within no time, the SYSTEM_ALERT_WINDOW permission started getting abused by hackers and malware creators to corrupt Android users’ phones and manipulate them for their own selfish gains.


Google was aware of this problem and it was busy improving the Android operating system and its security and user privacy until 2015, when Android Marshmallow (6.0) was launched. Among other features, there were runtime permissions, which asked users to allow/deny permissions during the app session to better understand the context of why the app was requesting that particular permission. The SYSTEM_ALERT_WINDOW was included in a list of very dangerous permissions which showed a full screen window to ask for the permission instead of the normal permission dialog.

The SYSTEM_ALERT_WINDOW permission screen The SYSTEM_ALERT_WINDOW permission screen

This proved to be a good feature for both users and app developers. Almost after a year in May 2016, some developers started noticing that the SYSTEM_ALERT_WINDOW permission is auto granted in some apps like Facebook Messenger, Evernote, Pocket etc. while other apps were showing the permission screen to its users and asking them to grant it.

Partially this was because of the target API level set for their apps by developers. For example, if some app is targeting API Level 22 or lower, then all permissions including SYSTEM_ALERT_WINDOW are granted at the install time by Google Play. Meanwhile apps targeting API Level 23 or more will request the permissions during the app session. But according to Google Play policies, any new app cannot target two levels below the current stable API level. At the time of writing this article, Android 10 (API Level 29) is the current version, so all new apps must target at least API level 28 or later. There’s no way developers can target lower API levels to grant all permissions at the install time.

So, how were these big apps such as Messenger or Evernote auto granting, not a simple but very dangerous permission, like SYSTEM_ALERT_WINDOW without users even knowing? Developers started asking these kinds of questions through Google’s Issue Tracker and Google finally answered, quoting from https://issuetracker.google.com/issues/37119304:

This is an intended behavior to allow popular apps to keep working until we have an alternative APIs in the platform for these apps to migrate.

But what did Google mean by “popular apps”? Does having 1 million downloads make an app “popular”? Or how about 50 million downloads? Turns out you need to ask Google to review your app in more detail, if you want it to have auto grant access to not only SYSTEM_ALERT_WINDOW but other things like SMS/Call logs access. You can submit your request using the form available at this link.

If your request is approved, then your app will be granted the SYSTEM_ALERT_WINDOW permission automatically at the time of installing the app from Google Play and will become a “popular” app. Usually, there’s little chance you’ll be approved for this request, so you will have to stick to asking permission from users manually.


But there’s also another thing Google said in that particular “popular apps” comment in the Issue Tracker. It’s “until we have an alternative APIs in the platform for these apps to migrate”. So, Google is already working on an alternative API.

So, after 3 years in April 2019, Google finally introduced Chat Bubbles in Android 10 Beta 2 as the alternative API for the SYSTEM_ALERT_WINDOW permission. With the Chat Bubbles API, the SYSTEM_ALERT_WINDOW permission is on the road to getting deprecated and may be removed from the Android platform. Developers were very excited and different articles started popping up to experiment with the Bubbles feature.

Chat Bubbles in Android 10 Beta 2 - Android Developers Blog Chat Bubbles in Android 10 Beta 2 - Android Developers Blog

But when Google announced the final APIs for Android 10 in Beta 4, developers realized that the Chat Bubbles feature was not going to be launched in Android 10. Rather, it’s now a developer-only feature. If users want to use the Chat Bubbles in their Android 10 phone, then they will have to manually enable this feature from the Developer Options in the Android system, and its not a simple process for the users. The Chat Bubbles feature was intended for only developers to experiment and provide feedback to Google, so that they can improve its API and functionality.


A few weeks ago, Android 11 Preview 2 was launched. It brings a whole lot of new and improved features but chat bubbles are still in developer only mode. There’s a very high possibility that chat bubbles will launch for users in Android 11. This was supposed to be announced and confirmed at Google’s annual conference IO 2020 but unfortunately due to the COVID-19 pandemic, Google IO 2020 has been completely cancelled.

Google IO 2020 Cancelled Announcement from their official website (https://events.google.com/io/) Google IO 2020 Cancelled Announcement from their official website (https://events.google.com/io/)

Usually, every new release of Android gets stable launches on partner devices during Q3 of the year. So, Android 11 is supposed to be launched in or after September 2020, initially for Pixel devices probably. Whether it includes Chat Bubbles or not will be confirmed with those stable devices. Until then, the use or maybe abuse of SYSTEM_ALERT_WINDOW will probably be happening for the chat heads or bubbles in Android apps. And that’s a wrap.


Have fun and use your code for good. 🙏

At the end, please Subscribe to my newsletter DroidUp to get more tutorials and tips on Android development directly in your inbox.


If you liked this article, you can read my new articles below:

How to Display Dependency Tree of Your Android Project with Gradle?
For Starters, simply run the command “gradlew :app:dependencies” in your te...
wajahatkarim.com

The Best Features in Android Studio 4.0 Beta
A basic overview of most interesting features in the Android Studio 4.0 Bet...
wajahatkarim.com


Wajahat Karim is a graduate from NUST, Islamabad, an experienced mobile developer, an active open source contributor, and co-author of two books Learning Android Intents and Mastering Android Game Development with Unity. In his spare time, he likes to spend time with his family, do experiments on coding, loves to write about lots of things (mostly on blog and medium) and is passionate contributor to open source. In June 2018, one of his library became #1 on Github Trending. His libraries have about 2000 stars on Github and are being used in various apps by the developers all around the globe. Follow him on Twitter and Medium to get more updates about his work in Writing, Android and Open Source.

Also, if you have any questions you’d like him to answer, contact him through his website at wajahatkarim.com with DEAR WAJAHAT in the subject line.