A new malware has been uncovered that uses an updated methodology to abuse the previously patched Android Toast overlay vulnerability, which once installed, can download additional malware as well as use various permissions to access the phone.
The malware is called ToastAmigo, detected by Trend Micro as ANDROIDOS_TOASTAMIGO, and is believed to represent the first observed weaponized use of vulnerability CVE-2017-0752 in Toast, Trend Micro mobile threat analyst Lorin Wu reported. This type of attack was shown as possible in a proof of concept earlier this year and Google issued a patch for the flaw in September.
Trend Micro found two apps, disguised as app lockers and both named Smart AppLocker, that are being used to spread ToastAmigo. One of the apps has been downloaded more than 500,000 times (Wu did not say which) as of November 6. The full extent of the malware's capabilities are not known, but it is thought to have ad-clicking, app-installing, and self-protecting/persistence capabilities.
What makes using Toast as an attack vector nasty is that it is a totally legitimate function that allows for what are essentially pop-up windows to appear over another open app. In the proof of concept tests that took place earlier this year, Toast was abused when the malicious app overlayed a legitimate-looking screen over a malicious app. The legit screen's clickable icons align with malicious icons located on the “underneath” app so when the user thought he or she was clicking something safe like “update” they were in fact giving the malicious app vital permissions or even downloading more malware.
However, this older attack method had to overcome two major hurdles to be effective. It had to request the “draw on top” permission from the user when installed and could only be installed from Google Play.
ToastAmigo does away with these two mitigating factors, making it much more dangerous. Now the malicious app merely has to reside on the phone to function without requiring any user permissions, and the app can be downloaded from sources other than Google Play.
The fake app lockers that were recently found by Trend Micro used a simple overlay that was placed over the app's actual user interface. Here it asks the user to click a “confirm” link that is supposed to send the user into the device's setting. Instead the “confirm” link starts the attack. To keep the victim from becoming worried, the app shows a window indicating that it is being scanned.
End users have few options to protect themselves from ToastAmigo. The most effective step is to ensure the September patch has been downloaded, but otherwise only practicing good mobile device hygiene will be effective. Primarily, users should only download apps from Google Play.