New Overlay Attack Exploits Android Toast Messages

Researchers at Palo Alto Networks discovered a new type of overlay attack against Android devices that allows a malicious app to exploit “Toast” notifications to grant administrative rights or access to the Accessibility service and take over the users’ device. The new variation of a known technique, “Cloak & Dagger,” exploits “Toast” messages – short-lived popups that appear at the bottom of the screen. After the user installs a malicious app, it requests administrative rights or access to the Android Accessibility service and uses Toast messages to mask confirmation messages. This vulnerability can be exploited by apps available in the Google Play store and third-party stores, and affects Android versions up to and including 7.0. Google now requires apps that use Toast messages ask for the “Draw on top” permission. The NJCCIC recommends all Android users review the Palo Alto Networks reportbe cautious when granting apps with permissions and avoid granting administrative rights, only download apps from the official Google Play store, and apply the upgrade to Android 8.0 Oreo as soon as it is available to mitigate this threat.

AdvisoryNJCCICGoogle, Android