A First Android malware called TOASTAMIGO has been discovered that capable of install other malware into infected devices using Toast Overlay attack.
Overlay attacks allow an attacker to draw on top of other windows and apps running on the affected device. With this recently found overlay assault does not require a particular permissions or conditions to be compelling.
Few Months Before same attack has been discovered via Cloak & Dagger Attack
Old Toast Overlay attack could abuse Android’s Accessibility features and leads to generate ads clicks a,app installing. but this one is capable of installing malware and other malicious activities .
This TOASTAMIGO Malware will entail a layer on top of the android app, window or process that leads to trick the victims by attacker to click the Fake overlay button instead of legitimate app or window.
In this case, TOASTAMIGO Toast Overlay Attack weaponize to download and install other malware by applying the fake layer into victim Android Screen.
All the Android version are affected Except(8.0/Oreo) by this Toast Overlay Attack. So before Android Oreo version users are urged to update the latest patch for this attack.
How Does this Toast Overlay attack Works
An Android app that belongs to app lockers has discovered form Google play store has asking accessibility permission to work.
Once Permission has been granted by the user then apps will launch a window to purportedly “analyze” the apps.
Since its already have permission, Behind of this process it download and install the second malware.
This Malware app is completely packed before published into Google play store.
There are two apps were discovered from Google play store and according to package structure analysis conformed that both apps was created by same developer.Trend Micro Detected this malware as ANDROIDOS_TOASTAMIGO
According to Trend Micro Report, The Toast Overlay attack is carried out when the apps purportedly note that it’s “analyzing the unprotected apps.”
To launch an overlay attack, malicious apps will typically request the “draw on top” permission; this has been the case with Android versions up to 6.0 (Marshmallow), and if installed from Google Play, they are exempted
To Bypass the various warning dialog’s from different android version, it has some malicious function in the source code doBackgroudTask.getInstance((Context)this will helps to execution of certain tasks in the background.
Combination of this unique attack vector by this Toast Overlay attack, infected Android device can be victimized to anything through communicating to C&C sever and update itself for getting new futures.
This Malware has some interesting future that will be executed in background of the Android window.
- com.photos.android.helper: Download a specified Android application package (APK)
- force_stop_MC: Forcibly stop mobile security apps
- bgAsprotectDialog: Prepare actions for dialog prompts, such as “Unknown sources”
- bgAutoInstallPage_4: Install an APK via Accessibility
- Accessibility: Open the Accessibility permission for the other APK
- bgGpAutoProtect: Keep itself from being uninstalled
- bgAsprotectDialog and bgAsprotectPage_4: Keep its Accessibility permission
Source : GBHackers