Google makes a consistent effort to keep the Android ecosystem secure but according to a recent research, devices running on Android Nougat and below are vulnerable to a toast overlay attack which can harm the users by stealing credentials, installing malicious apps silently and even conducting a ransomware attack.
Although Google has already released the September security update with a fix to this issue, a majority of the devices from varying manufacturers are still to receive the previous security updates, let alone this one.
So, in theory, and practice, currently, a majority of Android devices are susceptible to this malware which can entice users to grant it Device Administrator privileges.
According to the research, using these privileges, the attacker can exploit the device via the malware in any way they deem fit. They can access the ‘draw on top’ permission any time, which will enable them to draw a silent app over the active one and getting the user to click on links unknowingly.
“Malware launching this attack does not need to possess the overlay permission or to be installed from Google Play. With this new overlay attack, malware can entice users to enable the Android Accessibility Service and grant the Device Administrator privilege or perform other dangerous actions,” the researchers at Palo Alto Networks 42 stated.
Inspired by a research paper titled ‘Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop’ by researchers at Georgia Tech, this research confirmed that Android 8.0 Oreo isn’t vulnerable to this attack.
Per se, if your device is infected with a fraudulent malware app, it won’t be able to access the data of other apps or even the system resources. But this attack bypasses the sandboxing, gaining control of the device.
When Will You Get the September Security Update?
If you own a Google Pixel or Nexus device, you should have already received the latest security patch with a fix for this vulnerability. If not, then check for the update on your device manually as the September security update was released by Google on Tuesday.
Nokia and BlackBerry device users can expect to get the security patch within a week or two, but users owning devices from other manufacturers should be worried as their device might still be languishing with the July security update or even earlier one.
Even the August security update fixed an important phishing vulnerability in Android devices. A similar security vulnerability was also found in Apple’s iOS.