A vulnerability in nearly all of the current versions of Android can be used by attackers to execute an overlay attack to trick users into installing malware, ransomware, or other malicious apps.
The flaw affects most of the Android devices in use right now, except for those that have been updated to Oreo, the newest Android release. Google released a fix for the vulnerability in its September Android patch update, but carriers and manufacturers are slow to get those updates to users, who don’t always install new versions immediately. That leaves a lot of vulnerable devices.
Researchers at Palo Alto Networks are warning that a malicious app installed on a vulnerable device could execute ab overlay attack using this vulnerability and bypass some of the mitigations that typically prevent many such attacks on Android. An overlay attack involves an app laying a window on top of another screen in order to trick the user into clicking a specific button. This technique has been around for several years and often is used by malicious apps to gain extra permissions or install ransomware.
In most cases, Android apps would need to come from the official Play Store and have admin privileges in order to make this work. But Palo Alto’s researchers said the CVE-2017-0752 flaw can be used to abuse the “toast” notification system in Android.
“Unlike other window types in Android, Toast doesn’t require the same permissions, and so the mitigating factors that applied to previous overlay attacks don’t apply here. Additionally, our researchers have outlined how it’s possible to create a Toast window that overlays the entire screen, so it’s possible to use Toast to create the functional equivalent of regular app windows,” Palo Alto’s Unit 42 research team said in a report on the attack possibility.
“In light of this latest research, the risk of overlay attacks takes on a greater significance. Fortunately, the latest version of Android is immune from these attacks “out of the box.” However, most people who run Android run versions that are vulnerable. This means that it’s critical for all Android users on versions before 8.0 to get updates for their devices.”
The safest course for Android users is to install apps only from Google Play and avoid third-party app stores. But it’s also vital that users install patches as soon as possible to protect against new attacks.
