Security News Android Malware Exploits Recently Patched 'Toast' Flaw

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Researchers at Trend Micro have spotted the first known piece of malware to exploit a recently patched vulnerability affecting the Toast feature in Android.

The flaw, reported to Google by researchers at Palo Alto Networks, enables malicious actors to launch overlay attacks by abusing Android’s Toast feature, which allows applications to display messages and notifications on top of other apps. The feature is named Toast because the notifications pop up on the screen just like toast.

Overlay attacks are commonly used by Android malware for phishing attacks, but using Toast provides some advantages, including the fact that it does not require the same types of permissions as other windows, and it allows an app to display a window that covers the device’s entire screen.

The vulnerability, tracked as CVE-2017-0752 and classified as high risk, was patched by Google in September with its monthly Android security updates. Toast overlay attacks don’t work against devices running Android 8.0 Oreo.

On Thursday, Trend Micro researchers reported seeing the first piece of malware leveraging the Toast overlay exploit. The threat, detected by the company as TOASTAMIGO, was disguised as apps named Smart AppLocker that had been available on Google Play, from where they were downloaded hundreds of thousands of times. The applications have since been removed from Google Play.

The malicious apps claim to secure devices with a PIN code. Once installed, they request Accessibility permissions and inform the user that they need to scan the phone for unprotected apps. The Toast exploit is used to display a progress screen for the “scan,” but in the background the malware executes commands from the attackers and installs a second piece of malware named by Trend Micro AMIGOCLICKER.

In addition to downloading other malware, TOASTAMIGO can terminate mobile security apps and perform other actions that prevent it from being removed. AMIGOCLICKER has self-preservation capabilities as well, but it can also collect Google accounts, click on buttons in system dialogs, click on Facebook ads, and give itself a five-star rating on Google Play.

“The miscellany of the malware’s malicious functionalities, combined with a relatively unique attack vector, makes them credible threats. In fact, the aforementioned functionalities can actually be modified for further cyberattacks,” Trend Micro researchers said in a blog post. “Since TOASTAMIGO and AMIGOCLICKER can misuse Android’s Accessibility feature to virtually do anything, this malware can update itself when getting the remote server’s commands.”
 

oneeye

Level 4
Verified
Jul 14, 2014
174
Time to review which apps can "draw over other apps" and for those who can't turn that off in settings, be very careful of apps that want, or need this permission. And I very rarely give the ok for accessibility service, unless I really know the developer and implicitly trust them. Most honest developer's explain why they need it before you toggle it on.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top