Researchers at Palo Alto networks warned in a blog post that users should rush to patch their Android phones against what they’re calling a “toast overlay” attack.
For all versions of Android other than the recently released Oreo, they describe how users can be tricked into installing a piece of malware that can overlay images atop other apps and elements of the phone’s controls and settings. It could, for instance, insert a picture of an innocent “continue installation” or mere “OK” button over another hidden button that invisibly gives the malware more privileges in the phone’s operating system or silently installs a rogue app—or it could simply take over the screen and lock the user out of all other parts of the phone in a form of ransomware.
“They can make it look like you’re touching one thing when you’re touching another,” says Palo Alto researcher Ryan Olson. “All they have to do is put an overlay a button over ‘activate this app to be a device admin’ and they’ve tricked you into giving them control of your device.”
Android overlay attacks have existed for almost as long as Android itself. But despite repeated efforts from Android’s developers at Google to fix the problem, another version of the overlay attack was presented earlier this year at the Black Hat security conference. That new attack, known as Cloak and Dagger, took advantage of two features of Android to make overlay attacks possible again: One that’s called SYSTEM_ALERT_WINDOW designed to allow apps to display alerts and another known as BIND_ACCESSIBILITY_SERVICE that allows apps for disabled users such as the seeing-impaired to manipulate other apps, magnifying their text or reading it aloud. Any malware that performs the Cloak and Dagger attack would need to ask the user’s permission for those features when it’s installed, and the system alert feature is only allowed in apps inside the Google Play store.