CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Android Malware Exploits Recently Patched ‘Toast’ Flaw

Researchers at Trend Micro have spotted the first known piece of malware to exploit a recently patched vulnerability affecting the Toast feature in Android.

Researchers at Trend Micro have spotted the first known piece of malware to exploit a recently patched vulnerability affecting the Toast feature in Android.

The flaw, reported to Google by researchers at Palo Alto Networks, enables malicious actors to launch overlay attacks by abusing Android’s Toast feature, which allows applications to display messages and notifications on top of other apps. The feature is named Toast because the notifications pop up on the screen just like toast.

Overlay attacks are commonly used by Android malware for phishing attacks, but using Toast provides some advantages, including the fact that it does not require the same types of permissions as other windows, and it allows an app to display a window that covers the device’s entire screen.

The vulnerability, tracked as CVE-2017-0752 and classified as high risk, was patched by Google in September with its monthly Android security updates. Toast overlay attacks don’t work against devices running Android 8.0 Oreo.

On Thursday, Trend Micro researchers reported seeing the first piece of malware leveraging the Toast overlay exploit. The threat, detected by the company as TOASTAMIGO, was disguised as apps named Smart AppLocker that had been available on Google Play, from where they were downloaded hundreds of thousands of times. The applications have since been removed from Google Play.

The malicious apps claim to secure devices with a PIN code. Once installed, they request Accessibility permissions and inform the user that they need to scan the phone for unprotected apps. The Toast exploit is used to display a progress screen for the “scan,” but in the background the malware executes commands from the attackers and installs a second piece of malware named by Trend Micro AMIGOCLICKER.

In addition to downloading other malware, TOASTAMIGO can terminate mobile security apps and perform other actions that prevent it from being removed. AMIGOCLICKER has self-preservation capabilities as well, but it can also collect Google accounts, click on buttons in system dialogs, click on Facebook ads, and give itself a five-star rating on Google Play.

“The miscellany of the malware’s malicious functionalities, combined with a relatively unique attack vector, makes them credible threats. In fact, the aforementioned functionalities can actually be modified for further cyberattacks,” Trend Micro researchers said in a blog post. “Since TOASTAMIGO and AMIGOCLICKER can misuse Android’s Accessibility feature to virtually do anything, this malware can update itself when getting the remote server’s commands.”

Advertisement. Scroll to continue reading.

Related: Android Malware ‘Dvmap’ Delivered via Google Play

Related: Android Malware Found on Google Play Abuses Accessibility Service

Related: Android Malware Exploits Dirty COW Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.