Researchers have discovered in Google Play several malicious apps that use a recent poem vulnerability to install other malware according anti-virus company Trend Micro. It is a vulnerability that was fixed by Google in September this year.
VThe vulnerability can cause a malicious application on the device to perform a so-called ‘overlay attack’. An overlay attack may cause a malicious app to show a window above another window or app. The user can not click on an innocent button, which actually causes malware to be installed or that the app gets higher rights. Normally, an app requires the draw on top permission.
However, it appeared to be possible to show overlays without this permission. This makes use of a so-called Toast Overlay. The Toast Overlay is often used to display quick notification over other apps, such as the message that an email has been drafted as draft. Researchers at Palo Alto Networks found that the Toast window could also be used for an overlay attack, without requiring additional permissions.
According to Trend Micro, for the first time, malicious apps have been discovered that use the September patched Android leak for an overlay attack. The malicious apps act as “app locker”, which supposedly protects the user’s applications with a PIN. The apps ask users accessibility permissions, which would be necessary for operation. After the permissions have been obtained, the apps launch a window to “analyze” the apps on the device. However, behind the scenes, the apps install additional malware and perform other actions.
One of the discovered apps was installed between 100,000 og 500,000 times. After being notified, Google has removed the apps from the Play Store. Since the attack is possible through the vulnerability in Android, users are advised to install the latest security updates if available. With Android devices with a patch level of 2017-09-01 or more recently, the problem has been fixed. Trend Micro has published a pdf with the vulnerability apps that misused abuse.