A new high-severity vulnerability affecting the Google Android platform has been discovered, according to Palo Alto Networks Unit 42 researchers.
The vulnerability allows cybercriminals launch “overlay attacks” which gives them the ability to input malicious software on users’ Android devices. This malicious software can then be used to gain total control over devices, install ransomware and lock devices, or steal information.
An “overlay attack” is an attack where an attacker’s app draws a window over (or “overlays”) other windows and apps running on the device. When done successfully, this can enable an attacker to convince the user he or she is clicking one window when, in fact, he or she is actually clicking another window.
The vulnerability affects all versions of Android OS prior to the recently released Android 8.0 Oreo, which is currently available only to select models of smartphones.
The particular vulnerability in question affects an Android feature known as Toast - a type of notification window that “pops” (like toast) on the screen. Toast is typically used to display messages and notifications over other apps.
Unlike other window types in Android, Toast doesn’t require the same permissions, and so the mitigating factors that applied to previous overlay attacks don’t apply here. Additionally, Palo Alto researchers have outlined how it’s possible to create a Toast window that overlays the entire screen, so it’s possible to use Toast to create the functional equivalent of regular app windows.
In light of this latest research, the risk of overlay attacks takes on a greater significance. Fortunately, the latest version of Android is immune from these attacks out of the box. However, most people who run Android run versions that are vulnerable. This means that it’s critical for all Android users on versions before 8.0 to get updates for their devices.
According to IDC, Android currently runs on approximately 85% of smartphones worldwide. Additionally, data released earlier this year also shows that Android is even more dominant in emerging markets in Asia, such as Indonesia and China.
First published Networks Asia