Toast Overlay attack, a warning for users of older versions of Android

Toast Overlay attack

Mobile security experts from Palo Alto Networks have detailed a new attack on Android devices. That uses "Toast" notifications to help malware in obtaining admin rights or access to Android"s Accessibility service often used to take over users" smartphones.

During the past few years, most of the top Android malware has used the same trick to get full control over a user"s device.

The malware fooling users during an app installation process to grant it the permission to display content on top of other apps.

Once malicious apps obtained this permission, they would use it to display intrusive pop-ups on the user screen, asking the user to confirm some message or take some action. In reality, the app would request access to the Android Accessibility service but use the "Draw on top" permission to display fake messages on top of the "Activate" button.

"Draw on top" permission

Similarly, malicious apps would use the same "Draw on top" permission that grants the attacker admin rights.



Their explorations led them to Toast messages, which are short-lived popups that appear at the bottom of the screen. The Android OS and many apps use this notification to display self-fading messages.

Researchers say that attackers can use Toast messages to carry out a variation of the Cloak & Dagger attack. Toast messages are useful for attackers because they inherently appear above any other applications. Toast messages do not require a malicious app to get the "Draw on top" permission during its installation process.

Instead of seeing an "Activate" button, attackers can use Toast messages to make the button say "Continue," instead. Further, researchers say that an attacker can loop Toast messages to appear continuously, masking legitimate content for as long as it"s necessary.

"The Toast attack requires fewer explicit user steps to exploit and can exploit by apps that don’t come from Google Play," Christopher Budd, Senior Manager of Cybersecurity and Threat Intelligence at Palo Alto Networks.

Palo Alto says all versions of Android, except the latest, are vulnerable to Toast overlay attacks.