Connect with us

Hi, what are you looking for?



“Toast” Vulnerability in Android Allowed for New Overlay Attacks

One of the 81 vulnerabilities addressed in the September 2017 Android security bulletin was a High risk issue that could be exploited to launch a new type of overlay attacks, Palo Alto Networks reveals.

One of the 81 vulnerabilities addressed in the September 2017 Android security bulletin was a High risk issue that could be exploited to launch a new type of overlay attacks, Palo Alto Networks reveals.

Tracked as CVE-2017-0752 and described as an elevation of privilege vulnerability in the Android framework (windowmanager), the bug abuses the “Toast” notifications in the operating system to modify what users see on the screen. Unlike similar overlay attacks, however, the new method does not require specific permissions or conditions to be effective, Palo Alto’s security researchers have discovered.

All Android releases prior to Android 8.0 Oreo are at risk, but Palo Alto’s researchers say they are not aware of any active attacks against this particular vulnerability. To stay protected, users are advised to update their devices as soon as a patch becomes available for them.

“This type of attack can be used to give malicious software total control over the device. In a worst-case attack scenario, this vulnerability could be used to render the phone unusable or to install any kind of malware including (but not limited to) ransomware or information stealers,” the researchers note.

The attack works similarly to other overlay exploits, by drawing a window over other windows and applications running on the device. Thus, an attacker can trick the victim into believing they are clicking on a window, but in reality they are clicking on another, where malware is installed or unwanted permissions (such as full device privileges) are granted.

While overlay attacks aren’t new and have been discussed before, it was a common misconception that malicious apps attempting such trickery would need to explicitly request the “draw on top” permission and would need to be installed from Google Play, Palo Alto says. The newly discovered vulnerability can be exploited without meeting these conditions, thus rendering overlay attacks a more serious threat than believed.

For that, an application would have to abuse the “Toast” window, an overlay type normally used to display a quick message (notification) over all other apps. The Toast window would allow a malicious application to write over the interface of another app without requesting the SYSTEM_ALERT_WINDOW privilege this typically requires.

Advertisement. Scroll to continue reading.

An installed app that can craft an overlay using the Toast window can launch an attack without special permissions. The crafted overlay includes two types of views (normally embedded in a Toast window), one of which is clickable. If the attacker can lure the user into clicking the view, the attack is successful, the researchers point out.

What’s more, the permission check and operation check don’t apply to Toast windows either, meaning that an app is granted complete control over TYPE_TOAST window. While Android 7.1 introduces mitigations by assigning a maximum timeout (3.5s) for each Toast window and not allowing apps to display more than one such window at a time, the fundamental cause of the vulnerability isn’t addressed, and an app still doesn’t need permissions to display a Toast window on top of other apps.

The security researchers also discovered that it is possible to continuously show a Toast window despite said mitigations, although the approach doesn’t allow the malicious app to monitor whether the user has clicked on the expected area in the overlay. Another approach would involve displaying an overlay to lure users to click on it, sleep for several seconds, and switch to another overlay.

The vulnerability was reported in May 2017 and Google included patches for it in the September 2017 Android security bulletin. Android 8.0 Oreo doesn’t inherit the vulnerability and all devices running this platform iteration are safe from overlay attacks, the security researchers say.

Related: Google Patches 81 Android Vulnerabilities With September 2017 Updates

Related: Google Patches Critical Vulnerabilities in Android

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.