{"id":42289,"date":"2017-09-14T13:00:24","date_gmt":"2017-09-14T20:00:24","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=42289"},"modified":"2026-06-11T15:31:48","modified_gmt":"2026-06-11T22:31:48","slug":"unit42-2-minute-threat-brief-android-toast-overlay-attack","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2017\/09\/unit42-2-minute-threat-brief-android-toast-overlay-attack\/","title":{"rendered":"2 Minute Threat Brief: Android Toast Overlay Attack"},"content":{"rendered":"<p><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2017\/09\/unit42-android-toast-overlay-attack-cloak-and-dagger-with-no-permissions\/\">Unit 42 released details<\/a> about a vulnerability that affects Android devices running operating systems older than 8.0 Oreo. The vulnerability leaves Android users at risk of falling victim to an Android Toast Overlay attack. Patches are available that fix this vulnerability, so Android users should get the latest updates as soon as possible.<\/p>\n<p><strong>How it Works<\/strong><\/p>\n<p>The vulnerability affects the Toast feature on Android devices, an Android feature that allows display messages and notifications of other applications to \u201cpop up,\u201d and allows an attacker to employ an overlay attack.<\/p>\n<p>An overlay attack happens when an attacker places a window over a legitimate application on the device. Users will interact with the window, thinking they are performing their intended function, but they are actually engaging with the attackers overlay window and executing the attacker\u2019s desired function. You can see an example of how this would work in Figure 1.<\/p>\n<p><div style=\"max-width:100%\" data-width=\"623\"><span class=\"ar-custom\" style=\"padding-bottom:94.06%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"alignnone size-full wp-image-42424 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2017\/09\/Eila_toast-1.png\" alt=\"Eila_toast\" width=\"623\" height=\"586\" \/><\/span><\/div><\/p>\n<p>&nbsp;<\/p>\n<p>Figure 1: Bogus patch installer overlying malware requesting administrative permissions<\/p>\n<p>This interaction can install malware or malicious software on the device, grant malware full administrative privileges or lock the user out and render the device unusable.<\/p>\n<p>In the past successful overlay attacks were typically dependent on two conditions:<\/p>\n<ol>\n<li>The malicious application must be downloaded from Google Play.<\/li>\n<li>The malicious application must explicitly request permissions from the user to enable the \u201cdraw on top\u201d functionality, allowing the application to display something on the window even if the application is not in the foreground.<\/li>\n<\/ol>\n<p>However, with this particular vulnerability, these conditions are no longer required for a successful attack. This means that attackers can use this vulnerability in apps users get from places other than Google Play. And when they install these malicious apps, they don\u2019t have to ask for the \u201cdraw on top\u201d permission.<\/p>\n<p><strong>How to Defend Against It<\/strong><\/p>\n<p>Keeping devices updated is a general security best practice. The Android Toast Overlay attack specifically targets outdated devices using versions prior to 8.0. In order to defend against the Android Toast Overlay attack, update all Android devices to the latest version. Additionally, avoid downloading malicious applications by only downloading from the Google Play store is another best practice you should always follow.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>2 Minute Threat Brief: Android Toast Overlay Attack.<\/p>\n","protected":false},"author":226,"featured_media":25785,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[10737],"tags":[172,4354],"coauthors":[2416],"class_list":["post-42289","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threat-intelligence","tag-android","tag-android-toast"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2017\/03\/Linkedin.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/42289","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/226"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=42289"}],"version-history":[{"count":3,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/42289\/revisions"}],"predecessor-version":[{"id":42448,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/42289\/revisions\/42448"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/25785"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=42289"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=42289"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=42289"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=42289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}