Toast Overlay Attack

A theoretical attack described by security researchers at the start of September has been integrated into a live malware distribution campaign for the first time.

The technique disclosed in September is referred to as the Toast Overlay Attack and describes a way to use toast notifications — a legitimate UI element of the Android operating system — to overlay content on top of other apps without malware needing access to the "Draw on top" special permission.

Palo Alto Networks researchers discovered the technique, informed Google, and the company patched this attack surface vulnerability (CVE-2017-0752) in the September 2017 Android Security Bulletin.

ToastAmigo malware uses Toast Overlay Attack

Earlier this month, Trend Micro security researchers discovered the first malware to use a Toast Overlay Attack. The malware, which they named ToastAmigo, was hidden inside two apps available on the Google Play Store, both under the name of Smart AppLocker.

The two Smart AppLocker apps infected with ToastAmigo

The two allow users to set up a PIN for opening other applications, different from the device's native locking system.

When users launch the app, ToastAmigo launches a Toast Overlay Attack by showing giant toast notifications that cover the entire screen and display a fake app interface.

In reality, behind the toast notification reside actual Android UI controls that trick the user into giving the malicious app access to the Android Accessibility service, a programmatic interface that lets apps carry out operations on the user's behalf.

Apps infected with ToastAmigo

Unsuspecting users might be thinking they're interacting with the app interface, but their taps actually interact with the Android UI control shown behind the toast notification.

ToastAmigo installs second malware named AmigoClicker

After using the Toast Overlay Attack to get access to the Android Accessibility service, ToastAmigo carries out various operations in rapid succession and installs another app that contains a malware strain named AmigoClicker.

This second malware is a simple adware strain that installs a proxy on the device and loads ads for the crook's financial gain.

Trend Micro has a technical analysis that breaks down both malware strains in finer detail here. Google has also removed the two apps infected with ToastAmigo from the Play Store.