A new vulnerability has been discovered affecting older versions of the Google Android Platform.It can be used to easily enable an “overlay attack”, tricking the user into unwittingly installing malware onto the device, or taking it over completely, or lock the device reports Palo Alto Networks' Threat Intelligence team, Unit 42.
This new vulnerability does NOT affect Android 8.0 Oreo, the latest version; but it does affect all prior versions of Android. And as Android 8.0 is a relatively recent release, nearly all Android users should take action today and apply updates that are available to address this vulnerability. Patches are available to protect against this vulnerability, however Palo Alto Networks recommends only downloading apps from Google Play, where rigorous screening helps keeps these threats out altogether.
An “overlay attack” is an attack where an attacker's app draws a window over (or “overlays”) other windows and apps running on the device. When done successfully, this can enable an attacker to convince the user he or she is clicking one window when, in fact, he or she is actually clicking another window.
In a blog by Christopher Budd, senior threat communications manager at Palo Alto Networks, he explains how previously, as reported by the IEEE Security & Privacy paper, these attacks were not considered a serious threat due to serious mitigating factors; they needed to explicitly request the “draw on top” permission from the user when installed and had to be installed from Google Play.
However, Unit 42 research has shown that there is a way to carry out overlay attacks where these mitigating factors don't apply. This new vulnerability enables an overlay attack simply by being installed on the device. So malicious apps from websites and app stores other than Google Play can carry out overlay attacks.
The vulnerability affects an Android feature known as “Toast.” “Toast” is a type of notification window that “pops” (like toast) on the screen. “Toast” is typically used to display messages and notifications over other apps.
Toast doesn't require the same permissions as other window types in Android so the mitigating factors that applied to previous overlay attacks don't apply here. The researchers outlined how it's possible to create a Toast window that overlays the entire screen, so it's possible to use Toast to create the functional equivalent of regular app windows.
All Android users on versions before 8.0 are therefore vulnerable and urged to get updates for their devices.