Toast Amigo

Toast Amigo targets devices running Android OS and surreptitiously installs additional malware on an affected device using the Toast Overlay attack and is the first malware to weaponize this proof-of-concept. Toast Amigo was found embedded in several applications, one of which was available for download from the Google Play store. The malicious apps pose as legitimate app lockers meant to secure a device's applications with a PIN. After installation, the app requests accessibility permissions that, when granted, allow the app to click ads, install apps, and maintain persistence on the device. The app launches a decoy Toast Overlay window claiming it is analyze the device's apps while behind the scenes a second malware is downloaded. All versions of Android, including 8.0 Oreo, are affected and all Android users encouraged to update their device immediately.

The malware has the following capabilities:

  • Download a specified Android application package (APK)
  • Install an APK
  • Open the Accessibility permission for the other APK
  • Forcibly stop mobile security apps
  • Prepare actions for dialog prompts
  • Keep itself from being uninstalled
  • Keep its Accessibility permissions

Technical Details

  • Trend Micro provides technical details on the Toast Amigo Android malware here.