One of the 81 vulnerabilities addressed in the September 2017 Android security bulletin was a High risk issue that could be exploited to launch a new type of overlay attacks, Palo Alto Networks reveals.
Tracked as CVE-2017-0752 and described as an elevation of privilege vulnerability in the Android framework (windowmanager), the bug abuses the “Toast” notifications in the operating system to modify what users see on the screen. Unlike similar overlay attacks, however, the new method does not require specific permissions or conditions to be effective, Palo Alto’s security researchers have discovered.
All Android releases prior to Android 8.0 Oreo are at risk, but Palo Alto’s researchers say they are not aware of any active attacks against this particular vulnerability. To stay protected, users are advised to update their devices as soon as a patch becomes available for them.
“This type of attack can be used to give malicious software total control over the device. In a worst-case attack scenario, this vulnerability could be used to render the phone unusable or to install any kind of malware including (but not limited to) ransomware or information stealers,” the researchers note.
The attack works similarly to other overlay exploits, by drawing a window over other windows and applications running on the device. Thus, an attacker can trick the victim into believing they are clicking on a window, but in reality they are clicking on another, where malware is installed or unwanted permissions (such as full device privileges) are granted.
While overlay attacks aren’t new and have been discussed before, it was a common misconception that malicious apps attempting such trickery would need to explicitly request the “draw on top” permission and would need to be installed from Google Play, Palo Alto says. The newly discovered vulnerability can be exploited without meeting these conditions, thus rendering overlay attacks a more serious threat than believed.
For that, an application would have to abuse the “Toast” window, an overlay type normally used to display a quick message (notification) over all other apps. The Toast window would allow a malicious application to write over the interface of another app without requesting the SYSTEM_ALERT_WINDOW privilege this typically requires.
An installed app that can craft an overlay using the Toast window can launch an attack without special permissions. The crafted overlay includes two types of views (normally embedded in a Toast window), one of which is clickable. If the attacker can lure the user into clicking the view, the attack is successful, the researchers point out.
What’s more, the permission check and operation check don’t apply to Toast windows either, meaning that an app is granted complete control over TYPE_TOAST window. While Android 7.1 introduces mitigations by assigning a maximum timeout (3.5s) for each Toast window and not allowing apps to display more than one such window at a time, the fundamental cause of the vulnerability isn’t addressed, and an app still doesn’t need permissions to display a Toast window on top of other apps.
The security researchers also discovered that it is possible to continuously show a Toast window despite said mitigations, although the approach doesn’t allow the malicious app to monitor whether the user has clicked on the expected area in the overlay. Another approach would involve displaying an overlay to lure users to click on it, sleep for several seconds, and switch to another overlay.
The vulnerability was reported in May 2017 and Google included patches for it in the September 2017 Android security bulletin. Android 8.0 Oreo doesn’t inherit the vulnerability and all devices running this platform iteration are safe from overlay attacks, the security researchers say.