Researchers Found New Overlay Malware Technique on Android
New overlay malware technique spotted.
Researchers working at Palo Alto networks have recently found a new method of Android malware that they have dubbed the “toast overlay malware.” They pointed out in a blog post that all Android users should update their Android OS to the latest available update as soon as possible to avoid being at risk of attack from this new malware.
With the toast overlay malware, all Android versions besides Oreo are at danger. The malware users a strategy to draw invisible buttons over other apps so that when users tap their display, the malicious software could be activated.
By hiding different buttons over common areas for Android users to tap, the malware can trick users into allowing the malware to have more permissions and further access to the device. There really is no limit to what permissions you could be handing over to the malware. The malicious software could be used to perform SMS tracking, email tracking, and even key logging to gather data from unsuspecting infected users and steal their passwords or bank login details.
These types of Android overlay attacks aren’t new – they’ve been around for a long time and Google has worked hard to fight the problem. In previous versions of Android before Android Oreo, there was a system in place that allowed some control over what apps were able to draw over others.
Google’s new security measures for protecting overlay malware has worked effectively, until now. A new attack method, called Cloak and Dagger, is being used to get overlay malware working on newer versions of Android before Android Oreo. This attack method is the same method being used for the toast overlay malware mentioned in this article.
With Cloak and Dagger, two key elements of the Android system are taken advantage of. One element is SYSTEM_ALERT_WINDOW and the other is BIND_ACCESSIBILITY_SERVICE. The first element controls what apps can display alert messages and notifications. The second element is a feature that allows apps to be manipulated or changed to be more suited for the blind or the hearing impaired.
If a malware has permission to access these features, it’ll be able to perform the Cloak and Dagger attack and Google’s overlay protection measures are essentially circumvented.
In the case of the toast overlay malware, the Cloak and Dagger method is used in a new, more creative way. Essentially, the toast overlay malware only needs permissions to use the previously mentioned accessibility service – with this it can create invisible notifications, known by the OS as toast notifications. These notifications can cover the entire screen. It doesn’t need permissions to create system alerts like previous malware did.
According to Palo Alto, this new malware puts almost all Android users at risk. Only the latest version of Android, Android Oreo, can potentially protect users from this by limiting the overlay to just 3.5 seconds.
We would suggest everybody updates their smartphones to avoid being at risk of attack from such malware. It’s also advised that Android users are more cautious about what apps they install and what permissions they provide to their apps.
In most cases, the applications from the Google Play Store are safe, but previously malware has leaked into the Play Store, so you should be extra cautious when downloading apps from lesser known developers on the Play Store.