Share this content on Facebook!
11 Sep 2017
Security specialists have discovered an unexpected feature of SMS Tracking Android that can concede the permission of the application to not just reach outside its sandbox but fully redraw the smartphone’s screen while another part of the operating system is running, deceiving users into tapping on fake buttons that can have unexpected consequences.

The Hack

On Thursday, specialists at Palo Alto Networks warned in a blog post that users should hurry to patch their Android smartphones against what they’re calling a “toast overlay” attack. Except for the recently released Oreo, the users of all versions of Android can be tricked into installing a piece of malware that can overlay images atop other applications and components of the smartphone’s controls and settings.

It could, for example, insert an unimportant “OK” button or picture of a safe “continue installation” over another hidden button which invisibly gives the malware more privileges in the operating system or quietly installs a maverick application.

Also, it could simply take control over the screen and lock the user out of the phone in a form of ransomware. In this way, they trick you into giving them control of your phone.

As long as Android exists, the overlay attacks existed too. Despite the repeated efforts from Android's producers at Google to settle the problem, another version of the overlay attack was displayed earlier this year at the Black Hat security conference.

The new attack, known as Cloak and Dagger, exploits two features of Android to make the attacks possible again. The one, called SYSTEM_ALERT_WINDOW is intended to enable applications to show alerts. The other, known as BIND_ACCESSIBILITY_SERVICE enables applications for disabled users, for example, the seeing-impaired to manipulate different applications, magnifying their text or reading it aloud.

The system alert feature is only allowed in applications inside the Google Play Store and any malware that performs the Cloak and Dagger attack will ask the user for permission for those features when it’s installed.

The Palo Alto researchers said the toast overly attack takes Cloak and Dagger one step further. They discovered that they could hijack the availability feature to perform a particular type of overlay using so-called “toast” notifications that pop up and fill the screen, with no requirement for the system alert permission.

It not only diminishes the authorizations that the user must be tricked into granting but also means the malware could be affected from outside the Google Play Store.

Who’s Affected?

Like we mentioned above, every version of Android except Oreo is vulnerable to the new version of the overlay attack, unless you’ve already installed Google’s patch. The latest version of Android prior to Oreo has a safeguard that only permits toast notifications to be displayed for 3.5 seconds. But that can be evaded by putting the notification on a repeated, timed loop.

How serious is this?

While Palo Alto calls its toast overlay technique a “high severity vulnerability,” it does not cause for panic. Palo Alto says it has yet to investigate the attack. Also, users would have to commit a series of mistakes before the attack can wreak its havoc.

You’d have to first install the malware that’s equipped with the method after it already snuck into the Play Store or you could make the less excusable mistake of installing it from a source outside Play, and then grant it “accessibility” authorizations before it could begin popping up its misleading toast notifications.

However, that doesn’t mean the toast overlay attack isn’t worth a quick update to fix. It is better to fix your phone’s operating system now than worry about this malicious toast.


There isn't any comment in this page yet!

Do you want to be the first commenter?

New Comment

Full Name:
E-Mail Address:
Your website (if exists):
Your Comment:
Security code: