Except for Oreo, All Android Versions Are Vulnerable to This Attack
Security researchers have warned that all versions of Android except for the very latest Oreo are vulnerable to an overlay attack. A security flaw in Android can surreptitiously grant an app the permission to draw bogus screens, tricking users into clicking on them. These apps essentially try to reach outside the sandbox, hiding what actually is happening with fake screens and text.
"They [malicious apps] can make it look like you’re touching one thing when you’re touching another,” Palo Alto researcher Ryan Olson said. "All they have to do is put an overlay a button over ‘activate this app to be a device admin’ and they’ve tricked you into giving them control of your device."
As the researchers explain, these overlay attacks aren't anything new. However, malicious apps needed to overcome two significant hurdles.
- They must explicitly request the “draw on top” permission from the user when installed.
- They must be installed from Google Play.
"These are significant mitigating factors and so overlay attacks haven’t been reckoned a serious threat," researchers write. But this newly reported vulnerability enables criminals to bypass these hurdles by exploiting a notification type called "Toast," which is a "view containing a quick little message for the user" according to Google.
Researchers reveal Toast Overlay attack on Android
This Toast Overlay attack can hijack the Accessibility feature of Android by using the toast notifications that pop up without any system alert permission. "Unlike other window types in Android, Toast doesn’t require the same permissions, and so the mitigating factors that applied to previous overlay attacks don’t apply here," researchers explained.
In the end, using toast, criminals can "both modify what user sees and inject fake input, all while maintaining the expected 'user experience' and remaining stealthy." For example, instead of seeing an "activate" button, attackers can use Toast messages to show a button that says "continue" or something else.
As mentioned earlier, latest Android 8.0 Oreo is immune to this particular attack vector, but as we all know only a handful of users have received the latest version of Android and many aren't expecting to see it until at least a good six months. Google has released the patch to this design flaw (tracked as CVE-2017-0752) with its September security updates. Make sure you install these updates as soon as your carrier makes them available to stay secure. More importantly, avoid installing apps outside the Google Play store.
A video of this attack in action can be viewed over at the Palo Alto website