Now that Google is finally rolling out Oreo, the latest version of its Android operating system, to select smartphones (Google Pixel, Google Pixel XL, Nexus 6P, Nexus 5X or Pixel C) with more device support coming soon, users can now try out the numerous tweaks it’s bringing.
Features like faster boot times, better battery management, “Fluid” multitasking, picture-in-picture, notification dots, smart copy/paste and text auto-fill all aim to enhance Android’s user experience.
However, there’s another compelling reason why Android users should check for available updates as soon as they can – security.
Android Toast Overlay Attack
Researchers from the Palo Alto Networks recently discovered a vulnerability that affects all Android phones that are not running Oreo. The flaw exists on the ability of Android phones to display “Toast” notifications and the ability of apps to draw on top of other apps.
Called an overlay attack, hackers can trick users into granting “draw on top” permission to malware that displays fake screens that hide the various actions they’re actually doing.
Once permission is granted, these apps will then display popups that force the user to confirm a message or perform an action. These overlays can then be used to disguise buttons that actually grant these malicious apps further admin privileges.
We have seen different versions of this overlay attack, most notably the Marcher attacks that use overlayed fake login pages to steal your user credentials and credit card and banking information.
This time, however, attackers are using Toast notifications, the small, expiring pop-up messages that systems use to quickly inform users. You’ve most likely seen Toast messages through Facebook Messenger notifications or “new Wi-Fi network connection” alerts on your Android phone.
The researchers in Palo Alto said that attackers can then use and position Toast notifications to hide buttons that grant admin permissions and other accessibility options since Toast messages do not need “Draw on top” permissions upon installation.
For example, an attacker can conceal a malicious app’s “Activate” button with a Toast notification that says “Continue” instead. The researchers also found out that attackers make these Toast messages appear continuously, disguising malicious activity as needed.
Check for updates now
The Palo Alto researchers state that all versions of Android, except for the latest version Oreo, are vulnerable to the Toast notification overlay attack. The flaw (known as CVE-2017-0752) was reported by the researchers to Google in May.
The patch is included with the September 2017 Android security update for compatible non-Oreo Android versions and the fix now requires apps that use Toast messages to ask for “Draw on top” permission too.
According to the researchers, it is critical that Android users on versions before Oreo get available security updates for their gadgets as soon as they can.
To check for updates: open Settings >> tap About phone >> tap System updates >> tap Check for updates. If there is one available it will download automatically, you just need to restart the device for it to install.
Aside from applying updates, here are more ways to protect your Android device from malicious apps:
- Opt into Google Play Protect – It is designed to work in the background, protecting users from malicious apps in real time. Click here to learn more about it and how to opt in.
- Only download apps from the Google Play Store – Even though some malicious apps make it into the Play Store, it does have a more thorough screening process. This cuts down on the chances a malicious app makes it in. Third-party app stores don’t have these screening processes.
- Keep “unknown sources” disabled while not using it.
- Make sure your gadget is updated with the most recent Android security update.
- Check the app’s developer – Verifying the name of the app developer is important. Copycat apps will have a different developer’s name than the actual one. Before downloading an app, do a Google search to find the original developer.
- Reviews – Most of the popular apps will have reviews by other users in the app store. You can sometimes find reviews by experts online. These are helpful at pointing out malicious or faulty apps. If you find a review warning the app is malicious, do NOT download it.