Security researchers warned of a high-severity Android flaw on Thursday that stems from what they call a “toast attack” overlay vulnerability. Researchers say criminals could use the Android’s toast notification, a feature that provides simple feedback about an operation in a small pop up, in an attack scenario to obtain admin rights on targeted phones and take complete control of them.
Affected are all versions of the Android operating system prior to Android 8.0, Oreo, released just last month.
“Since Android 8.0 is a relatively recent release, this means that nearly all Android users should take action today and apply updates that are available to address this vulnerability,” researchers with Palo Alto Networks Unit 42, who found the flaw, said.
Leveraging the toast vulnerability could allow attackers to facilitate what are known as “overlay” attacks on Android phones. Overlay attacks aren’t necessarily new. They all share the same goal of allowing attackers to create a UI overlay to be displayed on top of legitimate Android applications. The overlay then tricks users into clicking confirmation buttons or entering credentials into a fake window that will grab and forward them to a remote attacker.
“This type of (toast) attack can also be used to give malicious software total control over the device. In a worst-case attack scenario, this vulnerability could be used to render the phone unusable (i.e., a ‘brick’) or to install any kind of malware including (but not limited to) ransomware or information stealers,” wrote Christopher Budd, senior threat communications manager, for Unit 42 in a technical overview posted Thursday.
Android toast messages are short-lived pop up notifications that appear on a phone’s screen. Google describes them as, “a (notification) message you display to the user outside of your app’s normal UI.” For example, clicking “Send” on an email triggers a “Sending message…” toast, Google describes.
A toast-type overlay is similar to the overlay attack method known as Cloak and Dagger that came to light earlier this year, researchers said. This type attack leverages Android permissions tied to features called System Alert Window and Bind Accessibility Service. System Alert Windows allows an app to layer on top of another to display alerts. The Bind Accessibility Feature makes the Android user interface accessible to the visually impaired via descriptors of screen activities.
Toast attacks are similar, but do not require Android permissions to be granted by users.
“This newly discovered overlay attack does not require any specific permissions or conditions to be effective. Malware launching this attack does not need to possess the overlay permission or to be installed from Google Play. With this new overlay attack, malware can entice users to enable the Android Accessibility Service and grant the Device Administrator privilege or perform other dangerous actions,” according to a technical write-up on toast, also posted Thursday by Unit 42.
Additionally, researchers said it is possible to create a toast window that overlays an entire screen making it possible to use toast to create the functional equivalent of regular app windows. “In light of this latest research, the risk of overlay attacks takes on a greater significance,” researchers said.
A patch for the vulnerability (CVE-2017-0752) was released Tuesday as part of Google’s September Android Security Bulletin.
It’s unclear if the patches released Tuesday included a specific patch to address toast on older Android systems. Also unclear, is how many Android devices are running Oreo and are protected from the malware.
“Most people who run Android run versions that are vulnerable. This means that it’s critical for all Android users on versions before 8.0 to get updates for their devices,” researchers wrote.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.