Security researchers warned of a high-severity Android flaw on Thursday that stems from what they call a “toast attack” overlay vulnerability. Researchers say criminals could use the Android’s toast notification, a feature that provides simple feedback about an operation in a small pop up, in an attack scenario to obtain admin rights on targeted phones and take complete control of them.
Affected are all versions of the Android operating system prior to Android 8.0, Oreo, released just last month.
“Since Android 8.0 is a relatively recent release, this means that nearly all Android users should take action today and apply updates that are available to address this vulnerability,” researchers with Palo Alto Networks Unit 42, who found the flaw, said.
Leveraging the toast vulnerability could allow attackers to facilitate what are known as “overlay” attacks on Android phones. Overlay attacks aren’t necessarily new. They all share the same goal of allowing attackers to create a UI overlay to be displayed on top of legitimate Android applications. The overlay then tricks users into clicking confirmation buttons or entering credentials into a fake window that will grab and forward them to a remote attacker.
This type of (toast) attack can also be used to give malicious software total control over the device. In a worst-case attack scenario, this vulnerability could be used to render the phone unusable (i.e., a ‘brick’) or to install any kind of malware including (but not limited to) ransomware or information stealers,” wrote Christopher Budd, senior threat communications manager, for Unit 42 in a technical overview posted Thursday.