Security researchers warned end users about an Android vulnerability that can lead to what they’ve called a “toast overlay” attack. In this attack scenario, users can be tricked into installing malware that superimposes images over other apps and certain parts of the device’s controls and settings.
What’s the impact?
In an overlay attack, a malicious application draws a window atop other running windows or apps. A successful exploit can allow an attacker to deceive the user into clicking on a malicious window.
What does this mean? An image of a seemingly benign “OK” or “Continue Installation” icon, for instance, can be displayed over a hidden button that will surreptitiously grant it device privileges. It can also be used to install a malicious information-stealing app—or even hijack the screen and lock the user out ala ransomware.
[From TrendLabs Security Intelligence: CVE-2017-0780: Denial-of-Service Vulnerability can Crash Android Messages App]
What does this overlay attack do?
Overlay attacks are not new, and mitigations that have been rolled out in various Android operating systems (OS) made them difficult to execute. Malicious apps that employ them must explicitly ask for the user’s permission, and they must be installed from Google Play.
However, the recent vulnerability provides a way to successfully carry out an overlay attack. It leverages a flaw in Toast, a feature in Android used to display notifications and messages over other applications. The analysis also draws on research published by the Institute of Electrical and Electronics Engineers (IEEE) called “Cloak and Dagger”, which was presented at the last Black Hat security conference. The research demonstrated how overlay attacks could be carried out by abusing the alerts and notification features in Android’s Accessibility Service.
Who is affected?
All versions of Android are vulnerable except the latest, Oreo. Android Nougat has a precaution in that Toast notifications can only be displayed for 3.5 seconds. Note, however, that this can be sidestepped by putting the notifications on a timed loop. This means an attacker can disguise his malicious content as long as needed. Additionally, Toast doesn’t need the same permissions as other windows in Android, and it’s even possible to abuse Toast to overlay the entire screen.
What can you do?
A patch for the flaw (CVE-2017-0752) was recently released as part of the Android Security Bulletin for September 2017. While researchers note they have yet to see the attack in the wild, that doesn’t mean it’s not worth updating your device given its attack chain. A malicious app that employs this method only needs to be installed on your device and granted accessibility permissions.
Practice good mobile security habits. Among them: keeping your OS and apps updated, and downloading only from the official Google Play or trusted sources. Apart from Nexus and Pixel devices, updates on other Android devices are still fragmented, so users should contact their device’s OEM for their availability. Organizations should also enforce stronger patch management policies to improve the security of BYOD devices.
Trend Micro Solutions
Trend Micro™ Mobile Security for Android™ (also available on Google Play) blocks malicious apps that may exploit this vulnerability. End users and enterprises can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft. For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report