Story image

Android 'Toast' overlay vulnerability affects all versions prior to 8.0

11 Sep 17

Android users are being urged to apply any security patches for their devices, after security researchers discovered a ‘high severity’ vulnerability in Toast.

The Android Toast overlay exploits all versions of Android prior to the latest version, Android Oreo. According to researchers at Unit 42, the vulnerability increases the likeliness of an overlay attack, although they are not aware of any attacks that have used the vulnerability.

Overlay attacks are already well-known on Android.

“An “overlay attack” is an attack where an attacker’s app draws a window over (or “overlays”) other windows and apps running on the device. When done successfully, this can enable an attacker to convince the user he or she is clicking one window when, in fact, he or she is actually clicking another window,” Unit 42 researcher Christopher Budd explains.

They are used to install malicious software on an Android device in order to control or ‘brick’ it, steal information, demand ransoms or do all of those things in one swoop.

Overlay attacks can also be used to create denial-of-services on the device by opening windows that cannot be closed – a key use for the way ransomware attacks are conducted.

Previously, it was believed that malicious apps that attempt to conduct overlay attacks had to explicitly request the ‘draw on top’ permission from the user, and the apps must be installed through Google Play.

Because of these two factors, overlay attacks were previously ruled a non-serious threat. However, researchers say that overlay attacks can occur without those two conditions. 

Android devices are built with a feature called ‘Toast’, which is a notification that pops up on the screen. It is generally used to show notifications and messages over apps.

Toast does not require the same permissions as other Android window types and it is also able to overlay the entire screen.

“If a malicious app were to utilize this new vulnerability, our researchers have found it could carry out an overlay attack simply by being installed on the device. In particular, this means that malicious apps from websites and app stores other than Google Play can carry out overlay attacks. It’s important to note that apps from websites and app stores other than Google Play form a significant source of Android malware worldwide,” Budd explains.

While Budd says that Android Oreo is immune from the vulnerability, but all Android users before 8.0 should contact their handset maker or mobile carrier for the latest updates.

“Of course, one of the best protections against malicious apps is to get your Android apps only from Google Play, as the Android Security Team aggressively screens against malicious apps and keeps them out of the store in the first place,” Budd concludes.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.