Home > Cyber News > Android Toast Overlay Attack Affects Million of Users (CVE-2017-0752)

Android Toast Overlay Attack Affects Million of Users (CVE-2017-0752)

Android toast overlay attack

Last week mobile security experts notified the public about a new attack using the newly-discovered Android Toast overlay exploit. The security issue that was found to be the main culprit is an overlay type of attack that is being exploited by the criminals. This so-called Android Toast overlay exploit has been found to cause hacker intrusions worldwide.

Related Story: EngineBox Malware Used in Attacks on Financial Institutions

Android Toast Overlay Exploit Exposed

Android users should be extra careful as the Toast overlay attack is a high-profile issue. The researchers who uncovered the attacks state that the exploit is related to the so-called “toast” notification. This is feature of the mobile operating system that provides feedback about an ongoing operation in a small popup. According to the experts all versions of Android prior to 8.0 Oreo are affected.

It is recommended that everyone applies all available security updates and see if their device manufacturer has issued the necessary patches. A successful exploit of the found problem can lead to a type of intrusion known as an overlay attack. The aim of the criminals is to create an user interface instance that is displayed over legitimate Android users. In most cases the hackers use social engineering tricks to steal account credentials from the victims.

This month’s Android security bulletin includes the exploit. The source code patches for the discovered vulnerabilities are going to be released to the Android Open Source Project (AOSP) which is the main source used by the device manufacturers to make the software for their products.

Android Toast Overlay Attacks Similar to Cloak and Dagger

The security experts note that the Android toast overlay attacks are very similar to another well-known intrusion type called “Cloak and Dagger”. It uses the Android permissions security system to manipulate the services called System Alert Window and the Bind Accessibility Service.

The System Alert Windows allows the hackers to place a dangerous app over a legitimate one by displaying fake alerts. The Bind Accessibility Feature is used to make the Android interface accessible to users that are visually impaired by displaying descriptors of the screen activities. Unlike them the Toast attacks do not require specific Android privileges. The “Cloak and Dagger” hit the victims by starting with a small victim base. The initial wave that carried the first infections was made in such a way that made discovery difficult.

Related Story: SonicSpy Android Spyware Generates over 1000 Apps

Android toast overlay protection image

Android Toast Overlay Method of Infiltration

Android users are being targeted using a a series of hacker attacks that have been noticed by security experts. The researchers note that one of the most popular mechanisms of intrusion is the use of counterfeit apps. They are usually distributed on the official app stores and repositories, as well as hacker-controlled sites. The criminals attempt to lure the victims into installing the apps by providing elaborate descriptions, screenshots and videos that look like legitimate applications.

Unlike previous attack mechanisms the new Android toast overlay attacks do not require explicit privileges when installing the fake apps. By exploiting other permissions that hackers were able to modify the screen overlays of the operating system and even inject fake input while at the same time maintaining a “stealth” environment. This makes detection and removal quite difficult as the victims usually cannot tell that their devices have been compromised.

The issue is currently being tracked under the CVE-2017-0752 advisory which reads the following:

A elevation of privilege vulnerability in the Android framework (windowmanager). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-62196835.

To protect yourself from such security threats you should not install apps from sources other than the Google Play store. However this does not guarantee that your device will not get infected by a malware app. The hackers employ fake developer accounts and distribute fake software on the Google Play Store as well. In the most popular case they come as freeware optimization apps and games. When installing an app carefully review the permissions that are requested. If anything unusual is brought up then the users should disallow any interaction and/or installation.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:

1 Comment
  1. Brandi Jowers

    What if I’m getting this message now in 2020 from chrome


Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree