TOASTAMIGO – the first known strain of malware that uses the Toast Overlay exploit

Share this…

Trend Micro spotted TOASTAMIGO, the first known malware that uses the recently patched vulnerability that ties with the Toast Overlay attacks.

Malware researchers at Trend Micro have spotted the first known strain of malware that triggers the recently patched vulnerability, tracked as CVE-2017-0752, that ties with the Toast Overlay attacks.

The vulnerability was discovered in September by security researchers with Palo Alto Networks Unit 42.

The experts reported that it is possible to abuse Android’s toast notification, a feature that is used to provide feedback about an operation in a small short-lived pop up notification, to obtain admin rights on targeted phones and take over the device.

The vulnerability affects all versions of the Android operating system prior to the latest Android 8.0, (Oreo), nearly all Android users.

“What our researchers have found is a vulnerability that can be used to more easily enable an “overlay attack,” a type of attack that is already known on the Android platform. This type of attack is most likely to be used to get malicious software on the user’s Android device.” reads the analysis published by Palo Alto Networks. “This type of attack can also be used to give malicious software total control over the device. In a worst-case attack scenario, this vulnerability could be used to render the phone unusable (i.e., a “brick”) or to install any kind of malware including (but not limited to) ransomware or information stealers. In simplest terms, this vulnerability could be used to take control of devices, lock devices and steal information after it is attacked.”

The toast attack is exploitable for “overlay” attacks on Android phones, attackers use them to create a UI overlay to be displayed on top of legitimate Android applications and trick victims into providing sensitive information or clicking confirmation buttons.

Toast Overlay attacks

Toast Overlay attacks

Google fixed the flaw in its monthly Android security updates.

This week, Trend Micro experts reported seeing the first piece of malware exploiting the Toast overlay flaw, for this reason, it was dubbed TOASTAMIGO. The Android malware was disguised as apps named Smart AppLocker that had been available on Google Play, it has been downloaded hundreds of thousands of times before Google removed it.

The TOASTAMIGO app claims to secure devices with a PIN code, but once the victim installed it, the app requests Accessibility permissions and inform the user that they need to scan the phone for unsecure apps. The malware uses the Toast exploit to display a progress screen for the “scan,” while it executes commands from the attackers in background and installs a second-stage malware named by Trend Micro AMIGOCLICKER.

“The malware ironically pose as legitimate app lockers that supposedly secure the device’s applications with a PIN code. Upon installation, these apps will notify the user that they need to be granted Accessibility permissions for it to work. It’s all a ruse to sidestep Android’s countermeasure that requires apps to have explicit user permission.” states Trend Micro. “After granting permissions, the apps will launch a window to purportedly “analyze” the apps. Behind the scenes, however, the apps carry out actions or commands, including the installation of a second malware (since it already has the permissions).”

toastamigo amigoclicker-3

TOASTAMIGO also implements features to prevent its removal by security software. AMIGOCLICKER is able to collect Google accounts and perform other actions, including click on buttons in system dialogs, click on Facebook ads, and give itself a five-star rating on Google Play.

“The miscellany of the malware’s malicious functionalities, combined with a relatively unique attack vector, makes them credible threats. In fact, the aforementioned functionalities can actually be modified for furthercyberattacks,” Trend Micro researchers said in a blog post. “Since TOASTAMIGO and AMIGOCLICKER can misuse Android’s Accessibility feature to virtually do anything, this malware can update itself when getting the remote server’s commands.”