A critical vulnerability in all Android devices running any version of the OS except 8.0 that if left unpatched can let hackers steal credentials, lock the device or install unwanted applications has been disclosed.
PaloAlto's Unit 42 reported the vulnerability allows for an overlay, specifically the Toast overlay, window attack to take place because the older Android versions simply do not have the checks in place that would prevent a malicious overlay window from taking over the device. The issue was brought Google's attention by Palo Alto on May 30, 2017 and the fix was included with the September 5 Android Security Bulletin. However, the patch must be deployed by users.
The starting point for this attack has the malicious actor spoofing the device owner into enabling the Android Accessibility Service and granting them device administrator privilege by changing what the victim sees on the display. This is usually accomplished through a clickjacker overlay attack.
The Toast overlay is a powerful and useful tool for the perpetrators as it has several built in abilities that can be co-opted.
“The Toast overlay is typically used to display a quick message over all other apps. For example, a message indicating that an e-mail has been saved as draft when a user navigates away without sending an e-mail. It naturally inherits all configuration options as for other windows types. However, our research has found using the Toast window as an overlay window allows an app to write over the interface of another App without requesting the SYSTEM_ALERT_WINDOW privilege this typically requires,” Unit 42 said.
Android versions 7.0 and earlier are vulnerable due to a missing permissions and operation check. Normally an overlay requires both, but with TYPE_TOAST neither check is in place and the request is just granted.
Two layers of protection are included in version 7.1, but these can be defeated. The layers include a timeout and only allowing a single layer to be used at a time. However, the single-layer protection is defeated with a LooperThread to continuously show a Toast window, this also confuses the timeout feature because with layers continuously appearing it cannot tell if it has been clicked.
Android 8.0, the newest, is fully protected.
Once the attacker as administrative rights it can install an app allowing that person to lock the device screen, reset the PIN, wipe the data and prevent the user from uninstalling the app.