Android is a pretty open platform with a fantastic developer community. Many of these developers will create apps, custom ROMs and more. Some organizations also engage in security testing, such as Palo Alto Networks Unit 42. This group has discovered a vulnerability within the Android Toast Message system, which allows the attacker to create a pseudo-overlay to trick the user into granting dangerous permissions without their knowledge. This is already fixed in the September security update and in Android Oreo, so rest assured that if your phone still receives monthly security patches, or you have a device on Android Oreo, that you are not vulnerable to this attack.
All other Android devices are susceptible to this attack. The way this works is that it exploits toast notifications within Android to bypass the requirement for the “draw on top” ie. overlay permission, which is how the “Cloak and Dagger” exploit worked. The researchers used this exploit to socially engineer users into granting the accessibility service to their attacking application, allowing them to then read all screen contents, key inputs, etc. on the device. They then used the same method to entice the application users to grant administrator access, all while being entirely unaware of the access they just granted. This allows the attacker to install apps, monitor the device, and also opens up for the potential of ransomware.
But how does it actually work? The developers behind the proof of concept shared the actual source code of their attack which contains a more technical explanation behind the vulnerability. But we’ll briefly explain how and why this exploit works.
First, you need to consider what a toast message is. They’ve been around on Android for years now, and you’ve probably seen plenty of them on your device every single day. Toasts are little messages at the bottom of the screen that usually appear in a grey bubble with a piece of information.
The exploit uses the toast message to create an overlay over the screen without actually requesting or needing the SYSTEM_ALERT_WINDOW permission, which is supposed to be a requirement for any application to draw over your screen. Instead, it pushes the overlay through a toast notification, creating buttons which look like they are for legitimately granting a benign permission or accepting a meaningless prompt but are actually for granting device administrator or accessibility access to the application. It creates two views inside of a toast overlay.
All of this can be done due to a failed permission check. The Android system (pre-Oreo and pre-September security update) does not actually check what is fed through the Android Toast Overlay system, instead granting the permission without checking. This is likely because Google did not foresee the possibility of feeding a view through a toast overlay.
In Android 7.1 it looks like Google tried to block this exploit. There was an introduced time out for toast messages and a limitation created: only 1 toast message per UID, an app’s process ID. This was easily bypassed by repeatedly looping and showing more toast overlays instead, so the illusion is given to the user that it is a consistent UI. If a loop was not created, after 3.5 seconds the overlay would disappear and the user would see what the app is actually requesting the user to do – grant device admin or accessibility rights.
The device administrator or accessibility permissions, when granted to an application, can be easily exploited for many kinds of malicious attacks. Ransomware, keyloggers, and device wipers can all be created using this exploit.
Applications do not need any permissions in order to show a toast message, though obviously the malicious application still needs BIND_ACCESSIBILITY_SERVICE as well as BIND_DEVICE_ADMIN in order to make effective use out of this toast overlay attack. Thus, your best line of defense against this kind of attack if your device is not yet patched is to examine the permissions that an application has defined in its AndroidManifest when installing it. If you install an app and you aren’t sure why that app needs an Accessibility Service or Device Admin privileges, then promptly uninstall it and contact the developer.
It’s concerning that such a simple part of Android, the lowly toast message, can be exploited to socially engineer a user into granting dangerous permissions. We hope that manufacturers roll out the September security patches as soon as they can to devices in order to protect the millions out there who could easily fall for such an exploit.