![]() ![]() In this way, the app can launch an overlay attack without any special permissions. This discovery allows an installed app to craft an overlay on the screen with a Toast window. However, our research has found using the Toast window as an overlay window allows an app to write over the interface of another App without requesting the SYSTEM_ALERT_WINDOW privilege this typically requires. It naturally inherits all configuration options as for other windows types. For example, a message indicating that an e-mail has been saved as draft when a user navigates away without sending an e-mail. The Toast overlay is typically used to display a quick message over all other apps. The “ Toast” window (TYPE_TOAST) is one of the supported overlay types on Android. This vulnerability was assigned CVE-2017-0752 and was disclosed in the Android Security Bulletin September. A video of the this attack in action is available here: ![]() Our new research shows that the accessibility attacks proposed in the paper can be launched successfully even if the app is not from Google Play and declares only one permission “BIND_ACCESSIBILITY_SERVICE”.Īs with Cloak and Dagger, this overlay attack works by modifying regions of the screen to change what the user sees, tricking them into enabling additional permissions or identifying their inputs. This paper proposed several innovative accessibility attacks but with the assumption that the malicious app must explicitly request two permissions and be installed from Google Play. This paper was recently presented at the IEEE Security & Privacy 2017 conference in May 2017. Chung, Wenke Lee of Georgia Tech ( PDF Link). The research was inspired by the paper “ Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop” by Yanick Fratantonio of UC Santa Barbara and Chenxiong Qian, Simon P. If these privileges are granted, a number of powerful attacks can be launched on the device, including stealing credentials, installing apps silently, and locking the device for the ransom. With this new overlay attack, malware can entice users to enable the Android Accessibility Service and grant the Device Administrator privilege or perform other dangerous actions. ![]() Malware launching this attack does not need to possess the overlay permission or to be installed from Google Play. ![]() However, this newly discovered overlay attack does not require any specific permissions or conditions to be effective. To launch such an attack, malware normally needs to request the “draw on top” permission. Overlay attacks permit an attacker to draw on top of other windows and apps running on the affected device. Because Android 8.0 is recent, this vulnerability affects nearly all Android devices currently in the market ( see Table 1) and users should apply updates as soon as possible. Android 8.0 was just released and is unaffected by this vulnerability. All Android devices with OS version < 8.0 are affected by this vulnerability and patches are available as part of the September 2017 Android Security Bulletin. Palo Alto Networks Unit 42 researchers have uncovered a high severity vulnerability in the Android overlay system, which allows a new Android overlay attack by using the “Toast type” overlay. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |