SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
8 Sep 2017

Researchers reveal new toast overlay attack on Android devices

Modern smartphones take pains to “sandbox” apps, keeping them carefully segregated so that no mischievous program can meddle in another app’s sensitive business.

But security researchers have found an unexpected feature of Android that can surreptitiously grant an app the permission to not merely reach outside its sandbox but fully redraw the phone’s screen while another part of the operating system is running, tricking users into tapping on fake buttons that can have unexpected consequences.

And while that hijacking of your finger inputs isn’t a new feat for Android hackers, a fresh tweak on the attack makes it easier than ever to pull off. On Thursday researchers at Palo Alto networks warned in a blog post that users should rush to patch their Android phones against what they’re calling a “toast overlay” attack: For all versions of Android other than the recently released Oreo, they describe how users can be tricked into installing a piece of malware that can overlay images atop other apps and elements of the phone’s controls and settings.

It could, for instance, insert a picture of an innocent “continue installation” or mere “OK” button over another hidden button that invisibly gives the malware more privileges in the phone’s operating system or silently installs a rogue app—or it could simply take over the screen and lock the user out of all other parts of the phone in a form of ransomware.

“They can make it look like you’re touching one thing when you’re touching another,” says Palo Alto researcher Ryan Olson. “All they have to do is put an overlay a button over ‘activate this app to be a device admin’ and they’ve tricked you into giving them control of your device.”

Android overlay attacks have existed for almost as long as Android itself. But despite repeated efforts from Android's developers at Google to fix the problem, another version of the overlay attack was presented earlier this year at the Black Hat security conference.

That new attack, known as Cloak and Dagger, took advantage of two features of Android to make overlay attacks possible again: One that’s called SYSTEM_ALERT_WINDOW designed to allow apps to display alerts and another known as BIND_ACCESSIBILITY_SERVICE that allows apps for disabled users such as the seeing-impaired to manipulate other apps, magnifying their text or reading it aloud. Any malware that performs the Cloak and Dagger attack would need to ask the user’s permission for those features when it’s installed, and the system alert feature is only allowed in apps inside the Google Play store.

The toast overly attack takes Cloak and Dagger one step further, the Palo Alto researchers say. They found that they could hijack the accessibility feature to perform a specific form of overlay using so-called “toast” notifications that pop up and fill the screen, with no need for the system alert permission. That tweak not only reduces the permissions that the user must be tricked into granting but also means the malware could be distributed from outside the Google Play store, where it wouldn’t be subject to Google’s security checks.

When experts reached out to Google about the attack, a spokesperson declined to comment but noted that Google released a patch for the problem Tuesday.

Who’s Affected?

Every version of Android prior to Oreo is vulnerable to the new version of the overlay attack, according to Palo Alto—unless you’ve already installed Google’s patch. (Thanks to the complexities of Android’s entanglements with carriers and handset manufacturers, you most likely haven’t.)

The most recent version of Android prior to Oreo does have a safeguard that only allows toast notifications to be displayed for 3.5 seconds. But that can be circumvented by putting the notification on a repeated, timed loop. “If you do it over and over and over, you can create a continuous overlay that’s not visible to the user as changing,” Olson says.

How Serious is This?

While Palo Alto calls its toast overlay method a “high severity vulnerability,” it’s not exactly cause for panic. Palo Alto notes that it has yet to see the attack used in the wild. And users would have to make a series of mistakes (albeit forgivable ones) before the attack can wreak its havoc: You’d have to first install the malware that’s equipped with the method after it already snuck into the Play store—or you made the less forgivable mistake of installing it from a source outside Play—and then grant it “accessibility” permissions before it could start popping up its deceptive toast notifications.

But that doesn’t mean the toast overlay attack isn’t worth a quick update to fix: Better to patch your phone’s operating system now than worry about malicious toast seizing its screen for ransom.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
Android hackers information leaks
Source:
Wired
1473
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015