Patch your Android or run Oreo, or you might OK your own pwnage

Unpatched Android devices not running Oreo are vulnerable to Toast overlay attacks.

Unpatched Android devices not running Oreo are vulnerable to Toast overlay attacks.

Researchers revealed a new high-severity vulnerability affecting the Google Android platform that could result in users actually agreeing for their Androids to be pwned.

While no one in their right mind would do that on purpose, they might do it on accident, since it is an overlay attack. What the user sees on the screen, such a “continue” button, might not be what they actually tapped OK for.  Underneath that overlay, they might have fallen for some slick tricks and just given malware admin rights to take control of the phone. Ugh, facepalm.

Palo Alto Networks Unit 42 explained:

Overlay attacks permit an attacker to draw on top of other windows and apps running on the affected device. To launch such an attack, malware normally needs to request the “draw on top” permission. However, this newly discovered overlay attack does not require any specific permissions or conditions to be effective. Malware launching this attack does not need to possess the overlay permission or to be installed from Google Play.

With this new overlay attack, malware can entice users to enable the Android Accessibility Service and grant the Device Administrator privilege or perform other dangerous actions. If these privileges are granted, a number of powerful attacks can be launched on the device, including stealing credentials, installing apps silently, and locking the device for the ransom.

Palo Alto warned that the vulnerability exploits an Android feature called Toast. The researchers added:

“Toast” is a type of notification window that “pops” (like toast) on the screen. “Toast” is typically used to display messages and notifications over other apps.

Unlike other window types in Android, Toast doesn’t require the same permissions, and so the mitigating factors that applied to previous overlay attacks don’t apply here. Additionally, our researchers have outlined how it’s possible to create a Toast window that overlays the entire screen, so it’s possible to use Toast to create the functional equivalent of regular app windows.

What Android devices are vulnerable to Toast attack?

Pretty much all Androids — unless the device is running the newest mobile OS Android 8.0, which is “immune from these attacks ‘out of the box.’” The researchers noted, “Most people who run Android run versions that are vulnerable. This means that it’s critical for all Android users on versions before 8.0 to get updates for their devices.”

Patch or run Android 8.0 Oreo

The patch for this severe vulnerability is part of the September Android Security Bulletin. If you depend upon your wireless carrier to deploy patches for your phone, then perhaps consider calling and hounding them about when the over-the-air update will roll out.

Short of applying the patches, the solution, it seems, is to make sure you have an Android running Oreo. Good luck with that. Android 8.0 is so new that it isn’t even listed as a platform version in use, meaning Oreo has less than a 0.1% distribution. Of course, it wasn’t even released yet for the time period in those stats. Oreo was released on August 21.

First, phone manufacturers have to adopt Oreo, then wireless carriers have to deploy it. Short of having Google Pixel or Nexus, which are the first to receive the newest Android operating systems, it might be a good long while before Oreo hits your phone. If it is even new enough to get the update.

When will Android Oreo be made available?

Coughing up nearly $1,000 for a new phone like the Samsung Galaxy Note 8 won’t guarantee your phone is protected, either. However, Samsung is allegedly working on a custom version of Google’s newest mobile operating system. Sammobile, which usually has reliable Samsung leak information, reported that sources said, “Samsung has started the development of the Android 8.0 Oreo update for the Galaxy S8 and S8+.”

For everyone else, Android Authority has done the guesswork for when phone makers will roll out Oreo. Based on historical updates in the past, the article suggested the best-case scenario for Samsung phones is about five to six months — January or February 2018. LG may roll Oreo out in October or November 2017. HTC might update to Android 8.0 in December or January 2018.

If you choose to jump on the Apple bandwagon to get away from Android altogether, Bloomberg said the cheapest model of iPhone 8 is expected to cost about $1,000.

Copyright © 2017 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations