Palo Alto researchers have discovered a vulnerability that can affect all Android devices running on any version older than Oreo. The vulnerability allows the hackers to lock the device screen, reset the PIN, wipe the data, and prevent a user from uninstalling app by tricking him/her to click on a fake dialog box, asking permission. Google was informed about the vulnerability by Palo Alto on May 30, 2017.
Reporting about the discovery, the research team of Palo Alto Unit 42 said that the vulnerability allows for an overlay window attack by tricking the user to enable Android Accessibility Service and granting device administrator privilege to the attackers by changing what the victim sees on the display. The overlay is called the Toast and has several built-in abilities. The researchers also said that the existing Android version does not have any safeguards available to prevent a malicious overlay from gaining control over the device due to a missing permission and operation check. Though an overlay requires both, no such check is present for TYPE_TOAST as permission is automatically granted.
Unit 42 said, “The Toast overlay is typically used to display a quick message over all other apps. For example, a message indicating that an e-mail has been saved as a draft when a user navigates away without sending an e-mail. It naturally inherits all configuration options as for other windows types. However, our research has found using the Toast window as an overlay window allows an app to write over the interface of another App without requesting the SYSTEM_ALERT_WINDOW privilege this typically requires.”
Android version 7.1 comes with two layers of protection that include a timeout and use of only single overlay layer at a time. The researchers said that single-layer feature can be bypassed with a LooperThread which shows a continuous Toast window. Due to the continuous display, the timeout feature also gets confused as it cannot tell if any overlay window has been clicked.
A patch was released by Google with the Android Security Bulletin on September 5, to be installed by the users.