A group of security researchers (Palo Alto Networks Unit 42) has discovered a new vulnerability in the Android operating system that has toast with toast notifications. Before you worry, we’ll inform you that the bug has already been fixed with the September security patches – coming on several smartphones – and that concerns Android 7.1.2 Nougat and earlier versions: Android 8.0 Oreo is in fact free.
This vulnerability allows you to create a pseudo- overlay to fool the user because this permits dangerous permissions; this could allow the attacker to read the content on the screen, install apps, and so on. The key is the toast notifications, which are exploited to circumvent the need for overlay permissions , similar to what we saw a few months ago with Cloak & Dagger malware.
How does it work ? We’ll try to explain it briefly: This method uses toast notifications to create an “overlay” on the screen without requiring the “SYSTEM_ALERT_WINDOW” authorization, which is normally mandatory. This way, you can recreate buttons, the legitimate semblance, to accept user requests and thus grant administrator permissions.
Android 7.1 Nougat had already tried to stem the problem by setting limitations for toast notifications, but apparently they were overrun. September’s patches, rollout these days for supported Google Pixels and Nexus (and not only), come fortunately to our rescue, fixing the vulnerability also on Android 7.1.2 Nougat and earlier versions.