Android Toast Overlay Attack

A new method of cyber attack, known as an overlay attack has been detailed. A successful overlay attack would allow a UI (user interface) to be placed over the top of the existing UI, masking what the user is actually interacting with.This can lead to a user accepting permission requests and performing other actions for malicious applications, potentially causing a full device compromise. Devices running versions of Android prior to 8.0 (Oreo) are vulnerable to this attack.

Threat ID:: CC-1637
Category:
Threat Severity:: Low
Threat Vector:: Download
Published:: 13 September 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Android

Android versions earlier than 8.0 (Oreo).

Threat details

This can lead to a user accepting permission requests and performing other actions for malicious applications, potentially causing a full device compromise. Devices running versions of Android prior to 8.0 (Oreo) are vulnerable to this attack.

The vector has the ability to escalate privileges on a target device, however, this is reliant on social engineering, as the installation of an initial application either via an official app store install or more likely loading via a third party source is required.

This attack overcomes previous mitigations but using a special notification type, called a Toast. A Toast notification is primarily used as a pop-up notification that is presented over the top of an application displaying a message to the user. The use of a Toast is key to the attack. As this window type is not bound to the same restrictions that other types are, this allows an app to display a Toast notification without the needing to ask for the additional privilege and without having originated from the play store. On top of this, a carefully designed Toast notification can be designed to cover the entire screen.

From this stage, an attack can now be launched with the unverified app requesting no additional privileges. By presenting the user with an inconspicuous screen, such as an app update screen, the vulnerability can hide the permission screen of a different app and request full administrator privileges underneath. For example, an OK button could be placed directly over the accept button. When the user clicks what they believe to be a harmless update to an existing app they are in fact granting full administrator privileges to a malicious app, giving full access to the devices with nothing to tip off the user.

The Toast vulnerability could also be used as a denial of service attack. By presenting a screen that can’t be dismissed, over the top of a display presenting a ransom note, there is an opportunity for this vulnerability to be used in a ransomware-type mobile malware.

Threat updates

Date	Update
16 Nov 2017	TOASTAMIGO has been seen using this vulnerability. The malware appears on the Google Play Store as an application to secure the device’s applications with a PIN code. Upon installation, this application will notify the user that it needs to be granted accessibility permissions in order for it to work. This allows the malware to bypass Android’s countermeasures that require applications to have explicit user permissions. After granting permissions, the malicious application will launch a window to “analyze” the applications. Instead it carries out actions or commands, including the installation of further malware. Remediation Where Android OS is in use on the estate, consider rolling out Android 8.0 where available Limit app installations to those tested and required for the user to perform their role. Block installations from 3rd part sources and, where possible, only use officially recognized apps from the Google Play Store.

Date

Update

16 Nov 2017

TOASTAMIGO has been seen using this vulnerability. The malware appears on the Google Play Store as an application to secure the device’s applications with a PIN code. Upon installation, this application will notify the user that it needs to be granted accessibility permissions in order for it to work. This allows the malware to bypass Android’s countermeasures that require applications to have explicit user permissions. After granting permissions, the malicious application will launch a window to “analyze” the applications. Instead it carries out actions or commands, including the installation of further malware.

Remediation

Where Android OS is in use on the estate, consider rolling out Android 8.0 where available
Limit app installations to those tested and required for the user to perform their role.
Block installations from 3rd part sources and, where possible, only use officially recognized apps from the Google Play Store.

Remediation steps

Type	Step
	Where Android OS is in use on the estate, consider rolling out Android 8.0 where available Limit app installations to those tested and required for the user to perform their role. Block installations from 3rd part sources and, where possible, only use officially recognized apps from the Google Play Store.

Last edited: 17 February 2020 11:26 am