![](\"https:\/\/media.wired.com\/photos\/59b1f1f659b7637a62e95b6c\/master\/pass\/android_patch-01.png\"\/)
<\/p>\n<\/p>\n
Credit to Author: Andy Greenberg| Date: Fri, 08 Sep 2017 04:16:44 +0000<\/strong><\/p>\n Modern smartphones take <\/span>pains to \u201csandbox\u201d apps, keeping them carefully segregated so that no mischievous program can meddle in another app\u2019s sensitive business. But security researchers have found an unexpected feature of Android that can surreptitiously grant an app the permission to not merely reach outside its sandbox but fully redraw the phone\u2019s screen while another part of the operating system is running, tricking users into tapping on fake buttons that can have unexpected consequences. And while that hijacking of your finger inputs isn\u2019t a new feat for Android hackers, a fresh tweak on the attack makes it easier than ever to pull off.<\/p>\n On Thursday researchers at Palo Alto networks warned in a blog post<\/a> that users should rush to patch their Android phones against what they\u2019re calling a \u201ctoast overlay\u201d attack: For all versions of Android other than the recently released Oreo, they describe how users can be tricked into installing a piece of malware that can overlay images atop other apps and elements of the phone\u2019s controls and settings. It could, for instance, insert a picture of an innocent \u201ccontinue installation\u201d or mere \u201cOK\u201d button over another hidden button that invisibly gives the malware more privileges in the phone\u2019s operating system or silently installs a rogue app\u2014or it could simply take over the screen and lock the user out of all other parts of the phone in a form of ransomware.<\/p>\n \u201cThey can make it look like you\u2019re touching one thing when you\u2019re touching another,\u201d says Palo Alto researcher Ryan Olson. \u201cAll they have to do is put an overlay a button over \u2018activate this app to be a device admin\u2019 and they\u2019ve tricked you into giving them control of your device.\u201d<\/p>\n Android overlay attacks have existed for almost as long as Android itself<\/a>. But despite repeated efforts from Android's developers at Google to fix the problem, another version of the overlay attack was presented earlier this year at the Black Hat security conference. That new attack, known as Cloak and Dagger<\/a>, took advantage of two features of Android to make overlay attacks possible again: One that\u2019s called SYSTEM_ALERT_WINDOW designed to allow apps to display alerts and another known as BIND_ACCESSIBILITY_SERVICE that allows apps for disabled users such as the seeing-impaired to manipulate other apps, magnifying their text or reading it aloud. Any malware that performs the Cloak and Dagger attack would need to ask the user\u2019s permission for those features when it\u2019s installed, and the system alert feature is only allowed in apps inside the Google Play store.<\/p>\n The toast overly attack takes Cloak and Dagger one step further, the Palo Alto researchers say. They found that they could hijack the accessibility feature to perform a specific form of overlay using so-called \u201ctoast\u201d notifications that pop up and fill the screen, with no need for the system alert permission. That tweak not only reduces the permissions that the user must be tricked into granting but also means the malware could be distributed from outside the Google Play store, where it wouldn\u2019t be subject to Google\u2019s security checks.<\/p>\n When WIRED reached out to Google about the attack, a spokesperson declined to comment but noted that Google released a patch for the problem Tuesday.<\/p>\n Every version of Android prior to Oreo is vulnerable to the new version of the overlay attack, according to Palo Alto\u2014unless you\u2019ve already installed Google\u2019s patch. (Thanks to the complexities of Android\u2019s entanglements with carriers and handset manufacturers, you most likely haven\u2019t<\/a>.)<\/p>\n The most recent version of Android prior to Oreo does have a safeguard that only allows toast notifications to be displayed for 3.5 seconds. But that can be circumvented by putting the notification on a repeated, timed loop. \u201cIf you do it over and over and over, you can create a continuous overlay that\u2019s not visible to the user as changing,\u201d Olson says.<\/p>\n While Palo Alto calls its toast overlay method a \u201chigh severity vulnerability,\u201d it\u2019s not exactly cause for panic. Palo Alto notes that it has yet to see the attack used in the wild. And users would have to make a series of mistakes (albeit forgivable ones) before the attack can wreak its havoc: You\u2019d have to first install the malware that\u2019s equipped with the method after it already snuck into the Play store\u2014or you made the less forgivable mistake<\/a> of installing it from a source outside Play\u2014and then grant it \u201caccessibility\u201d permissions before it could start popping up its deceptive toast notifications.<\/p>\n But that doesn\u2019t mean the toast overlay attack isn\u2019t worth a quick update to fix: Better to patch your phone\u2019s operating system now than worry about malicious toast seizing its screen for ransom.<\/p>\n