Overlay attacks are nothing new for Android users, and Palo Alto Networks Unit 42 researchers have found yet another way for attackers to perpetrate them.
An “overlay attack” allows an attacker’s app to lay windows over other windows and apps running on the device, effectively tricking users into clicking on buttons and allowing actions that could lead to their devices being compromised.
The Toast Overlay attack
Earlier this year, a group of researchers demonstrated how a malicious app could achieve the capability to “draw on top” other apps after being granted two specific permissions (SYSTEM_ALERT_WINDOW and BIND_ACCESSIBILITY_SERVICE) and being downloaded from Google Play.
The Toast Overlay attack, as it has beed dubbed by Palo Alto Networks researchers, does not require the malicious app to come from Google Play, and can be effected by the app only gaining the BIND_ACCESSIBILITY_SERVICE).
“The ‘Toast’ window TYPE_TOAST) is one of the supported overlay types on Android. The Toast overlay is typically used to display a quick message over all other apps. For example, a message indicating that an e-mail has been saved as draft when a user navigates away without sending an e-mail. It naturally inherits all configuration options as for other windows types,” the researchers explained.
“However, our research has found using the Toast window as an overlay window allows an app to write over the interface of another App without requesting the SYSTEM_ALERT_WINDOW privilege this typically requires. In this way, the app can launch an overlay attack without any special permissions.”
An overlay attack can be used to trick users into installing malware, give it full administrative privileges, or to lock up the device and hold it hostage for ransom.
Which devices are vulnerable?
Smartphones running all versions of Android except the latest one (8.0 Oreo) are vulnerable. Since Android Oreo has been released less than a month ago and has yet to achieve even a 0.1% adoption rate, it effectively means that nearly all Android devices in use are vulnerable.
By the by, Google added a new restrictive permission (TYPE_APPLICATION_OVERLAY) to Android Oreo, in at attempt to foil screen-hijacking malware. The permission blocks windows from being positioned above any critical system windows, allowing users to access settings and block an app from displaying alert windows.
The vulnerability (CVE-2017-0752) that allows Toast Overlay attacks has been confirmed by Google and patched this month.
Users of Google’s own Android devices, Nexus and Pixel, can update them immediately and be safe rom these attacks. Patches for all Android versions have been provided. Of course, users could also choose to upgrade to Android Oreo.
Users who depend on security updates from their mobile carriers or smartphone makers should ask for information on patch and update availability directly from them.
For the time being, the researchers are not aware of active attacks against this vulnerability.