With the growing number of people accessing the apps for their day to day, task security is becoming the main cause of concern. Though a lot of efforts are taken to “sandbox” apps to keep them separated from each other so that no rogue program can try to manipulate another apps sensitive business. Even after taking such measure recent findings by security researchers suggest unexpected feature of Android can without getting noticed grant an app permission to reach outside its sandbox. It does not stop there it can also redraw the phone’s screen while another part of the operating system is running, the users are tricked into tapping on fake buttons that can lead to unexpected results. This is the newest kind of attack where the Android hackers make hijacking of your finger inputs easier than ever before.
What’s the Hack?
In his blog post on Thursday researcher, Palo Alto suggested users patch their Android phones against the latest “toast overlay” attack for all versions of Android other than Oreo. He has explained how users can be tricked into installing malware which can overlay images on top of other apps and elements of the phone’s controls and settings. Presenting an example he showed how by simply inserting a picture of “continue installation” or mere “OK” button placed over another hidden button can invisibly give the malware more privileges in the phone’s operating system or how it can also silently install a rogue app where it can take control of the screen and lock the user out of all other segments of the phone in a form of ransomware.
Palo Alto researcher Ryan Olson further stated – “They can make it look like you’re touching one thing when you’re touching another. All they have to do is put an overlay a button over ‘activate this app to be a device admin’ and they’ve tricked you into giving them control of your device.”
It is not that overlay attacks are new to Android, Android developers have been repeatedly reporting Google to fix the problem. This year another version of the overlay attack “ Cloak and Dagger” was presented at the Black Hat security conference. It took advantage of two features of Android namely SYSTEM_ALERT_WINDOW and BIND_ACCESSIBILITY_SERVICE.
The SYSTEM_ALERT_WINDOW allows apps to alerts, whereas the BIND_ACCESSIBILITY_SERVICE allows apps for disabled users to use accessibility features like seeing-impaired to manipulate other apps, magnifying their text or reading it aloud. In order for the Cloak and Dagger attack to be executed it needs users permission for those features when it is being installed and the system alert feature is only allowed in apps inside Google Play store.
In case of the overlay attack it goes one step further where it uses the accessibility feature to perform a specific form of overlay using so-called “toast” notifications that pop up and fill the screen, these do not need the system alert permission. What is does it not only reduces the permissions that the user must be tricked into granting but also means the malware could be distributed from outside the Google Play store, where it wouldn’t be subject to Google’s security checks. When questioned my net media about the recent attacks the Google spokesperson declined to comment but noted that Google released a patch for the problem Tuesday.
Who are Affected?
According to Palo Alto, every version of Android prior to Oreo is vulnerable to the attack unless you have already installed the Google patch.
Palo Alto feels through the recent versions of Android prior to Oreo does have the protection that only allows toast notifications to be displayed for 3.5 seconds. But it can be bypassed by simply putting the notification on a repeated, timed loop.
The seriousness of the Issue
Palo Alto considers the toast overlay attack a “high severity vulnerability,” though it is not a cause for concern as no reports of the outbreak of this attack are known. The users will have to keep on making repeated mistakes in order to make this attack create panic. For this to happen you will have to install the malware that’s equipped with the method after it already snuck into the Play store—or you made the less forgivable mistake of installing it from a source outside Play—and then grant it “accessibility” permissions before it could start popping up its deceptive toast notifications. Though the attacks might not be that powerful set panic amongst users it’s better to patch your phone’s operating system now than worry about malicious toast seizing its screen for ransom.
- Android Q Offers Additional Features To Carriers
- 6 Best Song Finder Apps For Android To Identify Songs By Tune
- Saavn and JioMusic Merge Into JioSaavn Value Of $1 Billion