Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Android Malware Exploits Recently Patched ‘Toast’ Flaw

Researchers at Trend Micro have spotted the first known piece of malware to exploit a recently patched vulnerability affecting the Toast feature in Android.

Researchers at Trend Micro have spotted the first known piece of malware to exploit a recently patched vulnerability affecting the Toast feature in Android.

The flaw, reported to Google by researchers at Palo Alto Networks, enables malicious actors to launch overlay attacks by abusing Android’s Toast feature, which allows applications to display messages and notifications on top of other apps. The feature is named Toast because the notifications pop up on the screen just like toast.

Overlay attacks are commonly used by Android malware for phishing attacks, but using Toast provides some advantages, including the fact that it does not require the same types of permissions as other windows, and it allows an app to display a window that covers the device’s entire screen.

The vulnerability, tracked as CVE-2017-0752 and classified as high risk, was patched by Google in September with its monthly Android security updates. Toast overlay attacks don’t work against devices running Android 8.0 Oreo.

On Thursday, Trend Micro researchers reported seeing the first piece of malware leveraging the Toast overlay exploit. The threat, detected by the company as TOASTAMIGO, was disguised as apps named Smart AppLocker that had been available on Google Play, from where they were downloaded hundreds of thousands of times. The applications have since been removed from Google Play.

The malicious apps claim to secure devices with a PIN code. Once installed, they request Accessibility permissions and inform the user that they need to scan the phone for unprotected apps. The Toast exploit is used to display a progress screen for the “scan,” but in the background the malware executes commands from the attackers and installs a second piece of malware named by Trend Micro AMIGOCLICKER.

In addition to downloading other malware, TOASTAMIGO can terminate mobile security apps and perform other actions that prevent it from being removed. AMIGOCLICKER has self-preservation capabilities as well, but it can also collect Google accounts, click on buttons in system dialogs, click on Facebook ads, and give itself a five-star rating on Google Play.

“The miscellany of the malware’s malicious functionalities, combined with a relatively unique attack vector, makes them credible threats. In fact, the aforementioned functionalities can actually be modified for further cyberattacks,” Trend Micro researchers said in a blog post. “Since TOASTAMIGO and AMIGOCLICKER can misuse Android’s Accessibility feature to virtually do anything, this malware can update itself when getting the remote server’s commands.”

Related: Android Malware ‘Dvmap’ Delivered via Google Play

Related: Android Malware Found on Google Play Abuses Accessibility Service

Related: Android Malware Exploits Dirty COW Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...