CyberWire Daily - Android Toast Overlay: Ryan Olson from Palo Alto Networks. [Research Saturday]
Episode Date: October 7, 2017Android Toast Overlay enables attackers to trick Android users into enabling permissions on infected devices by making them think they are clicking on benign buttons superimposed over the user interfa...ce. Ryan Olson is Director of Threat Intelligence at Palo Alto Networks' Unity 42, and he joins us to share their research. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
So the toast overlay attack that we reported to Google earlier this year,
and they recently patched, is a traditional overlay attack.
That's Ryan Olson. He's the director of threat intelligence
at Palo Alto Networks. With an overlay attack, the goal of the attacker is to try and display
something over another application to trick you into doing something that you don't think you're
doing. So to give you an example, you might display a fake screen over another application
in your phone, which is sort of, it's visible to you,
but if you were to touch it, you're sort of pressing through it. So if you could imagine
you wanted to trick somebody into clicking accept on a dialogue, you could display a fake dialogue
over that, which said, you know, do you want to like something on Facebook, when really what
you're doing is agreeing to give somebody access to some permissions on your phone. That's generally the idea around an overlay. It's displaying something
over the regular interface to either take control or to trick the user in some way.
Is an overlay attack something that's widely found? Is this something that's specific to
Android, or would you find this on a desktop browser or maybe on an iOS device?
So technically, the vulnerability, that kind of vulnerability or that kind of attack
could exist on lots of different devices,
but we haven't seen it in a lot of other platforms.
Generally on something like a desktop,
you don't have the same kind of complete
sort of one app view that you're looking at
where an attacker is going to be able to trick you
into thinking that another app
is being displayed at the moment.
It really just comes down to certain UI things that an operating system allows, which are typically to help the
user in one way or another. And in this case, they're just being abused by an attacker.
So take us through this particular kind of overlay.
In this case, the research started, we have a researcher in our company, his name's Kong Zhang.
And he was actually looking into this paper that had been written by some folks at Georgia Tech and UCSD that was published earlier this year, and they
called it Cloak and Bagger. And the idea behind the paper was that through getting a small number
of permissions on an Android device, you could launch an overlay attack that could then be used
to gain basically full access to the phone. The idea is if you can get an overlay that is overlaying the accessibility feature,
the accessibility service inside Android is this thing that's there to help basically one app help
another app do things for people who have some sort of disability. There's lots of different
ways that accessibility is used. Once you've done that, though, once you have the accessibility feature, you can overlay pretty much anything that's happening inside the application.
There's not a lot of these that have the service available.
And with that, you could then trick someone into doing all sorts of things, like setting that application as device administrator on your phone.
And once an application has device administrator access, they can do pretty much anything they want.
somebody, once an application has device administrator access, they can do pretty much anything they want.
That's intended for like a corporation to install some sort of control application to
ensure that they can, you know, encrypt data, remove data, destroy, wipe the phone if they
want to, reset the passcode.
What they described in Cloak and Dagger was that if an application basically had the small
number of permissions and had come from the Android app store,
you could create an overlay attack that tricks someone into going down that road,
going down that road, enabling device administrator.
The difference in what Kong found was that he found a way to launch this attack using a toast overlay.
I'll describe what that is in a second.
They didn't really require any permissions at all.
If you got an Android app on your phone in any way, you would be able to successfully create
overlays that trick someone into going all the way down that road to allowing that application
to be device administrator, which opened the vulnerability up a little bit more broadly than
what had been described in the cloak and dagger paper originally.
Wow. All right. So take us through, how did it work?
So a toast overlay, and overlays in general are basically just writing over another application.
The toast overlay in Android is one that people probably see pretty frequently.
The idea is that it's an overlay that just briefly pops up and then disappears,
like a piece of toast popping out of a toaster and then dropping back down in.
Those are used for, for instance, you might be writing
an email and you don't click send, but you leave the application and the email app says, hey,
you know, you didn't send that email. It might want to display that after you've left the
application. It might want to pop up a little toast at the bottom of the window just to say,
hey, by the way, you didn't actually send that. And that's a usability feature in Android. It's
something to allow that app to tell you something, even though at that point you've already left their app. It's
a way for them to give you just sort of this brief notification that shows up over another app.
And in different versions of Android, Google has put in protections to prevent people from abusing
all kinds of overlays, but specifically the Toast overlay. The Toast overlay can only last for a small amount of time. You can't click on them. They can't grab your actual, your touch preferences.
And because of that, different versions of Androids were impacted differently by this
vulnerability. What Kong figured out is that by basically creating a whole bunch of loops,
he could display a whole bunch of Toast overlays and different portions of the screens
that all align with each other and could
guide a user into going in, clicking on, hey, let's enable device administrator. And if they did that,
the attacker, if they had actually launched an attack using this technique, they would have been
able to get complete control over the phone. So instead of having a small pop-up, say, at the
bottom of the screen, by using a series of pop-ups sort of woven together,
they take over the whole screen? Exactly. So a series of pop-ups woven together,
all looping over and over again, because a toast overlay can only last for a small amount of time.
But by carefully crafting these all together, you can basically cover any portion of the screen that you want to. There's different limits on how big toast overlays can be, but if you get enough of them going at one time, they effectively become one
screen to the user. And it's seamless enough that it doesn't look like your screen is flickering or
you have some sort of patchwork flashing in and out? Indeed. So we actually published a video when
we wrote this blog because we wanted to make sure that people could see this is actually what it
looks like. And we did that using a screen recording on an Android device, so you could see
this is how it's going to appear. And if you go and watch that, it really becomes clear that there's
really no way that you would have been able to tell that something strange was going on. The app
itself that we created for this is not especially pretty, but a sophisticated attacker could make
something that was a lot prettier if they wanted to do that.
So what would be an example of what someone would want to use this for?
So device administrator access is obviously a great goal to have for an Android attacker because you could lock the device if you want to, which somebody's device and then prevent them from accessing it, display a message to them that says, hey, I've changed your lock password.
Pay me, you know, half a Bitcoin.
I'll give it back to you.
That's a great technique that might be useful for just holding that device for ransom.
In the same way, you can with device administrator privileges, it gives you more access to more data on the device. You have the ability to go and read common storage.
You could potentially
access other kinds of sensitive information. The one we expect most people will probably be
impacted by, though, is going to be ransomware. Some sort of ransomware attack if they do succumb
to one of these overlays. Now, this has been patched for the latest release of Android,
but it does affect older operating systems.
So when we first discovered it, it had already been patched in Android 8. So they'd already
basically created a new permission check that would stop these kind of overlays from being able
to get you to the point of getting device administrator access. It was still existent
in Android 4, 5, 6, and 7, though. So Google made patches now so that the latest versions of each of those major lines of Android
basically have a check in them to ensure that a toast overlay couldn't be displayed
in a way that would allow someone to get to device administrator.
That's the main change that they made.
Obviously, it's still possible to display these kinds of pop-ups.
People could potentially do some suspicious things, but the majority of the impact is greatly mitigated.
And so is this still just a researcher proof of concept? Has there been any sign of an attack
like this being used in the wild? There have been overlay attacks that have
occurred. We haven't seen any that have particularly been using this technique.
So there haven't been sort of a wave of these that popped out after we published our research and talked about the fact that Google had patched it.
That's a good thing.
We don't want to see attackers pick up the kind of techniques that researchers are discovering.
But it is something that might happen in the next few months.
What's the process for you as researchers to release these sort of things? Because there is the potential that when you come up with some clever attack and you publish about it, then certainly the bad guys can
use it. Obviously, you're informing Google ahead of time, but there's still a lot of unpatched
systems out there. Certainly. So generally, the process is referred to as responsible disclosure,
which is the opposite of full disclosure, which is also the name of a really popular mailing list. But with full disclosure, you just release everything into the public as
soon as you want to without giving advance notice or maybe after advance notice, but before there's
been a patch released. Obviously, there's negative consequences of that. There are certainly reasons
people might want to perform a full disclosure, but generally the practice followed in the security community is responsible disclosure, which means notifying the vendor
who's responsible for the product in advance, allowing them a reasonable amount of time to
actually patch it, patch whatever the vulnerability is, and then not disclosing that the vulnerability
existed until that patch has been rolled out. For us, this gets a little bit complicated when you have something like Android, because Android devices, patches get rolled through Google
into Android itself. And then they have to go through various phone OEMs through the vendors
themselves who make small changes to the devices. And those have to make their way to the devices
themselves. So there's a slightly slower chain when it comes to a device like an Android device. When it comes to other kinds of software, it can be simpler
depending on how their update chain works. But our goal always in working to describe these
techniques is two things. One, we want to educate people that these kind of things are possible.
They exist. People should be aware that sometimes if you're not updating
your device, if you're not keeping it up to date, just because you're using a mobile device when
you haven't experienced any malware in the past, it doesn't mean you're not going to in the future.
And second, help get these things closed before people are actually taking advantage of them.
If we didn't disclose to Google, we just thought, you know, nobody's going to do anything about
this. Then it would stay open and an attacker might pick it up and go start launching overlay attacks against people. And so what's your advice for folks to protect
themselves against this? The best thing you can do is update your phone to the latest version
of the Android OS, which is something you should do anyway. Updates are one of those things that
are basic sort of hygiene for any kind of device. Update your laptop, update your tablet, update
your phone, installing those
updates while for some people they might appear to be sort of a pain because, you know, your phone
has to reboot and all this stuff. They really are a valuable thing to install. They make your phone
safer and your phone contains some of the most important data you have and you should treat it
as such. My perception comparing Android to iOS is that obviously there's two sides
of this. Android gives you more control and you can customize your experience more than you can
perhaps on iOS. But the flip side, I think, is that we see fewer of these attacks on the iOS side.
That's my perception. Is that an accurate perception? We definitely see different kinds
of attacks against Android and against iOS.
So because Android, Google does allow users to install things from outside the Google Play Store,
which is where most people, at least in the United States, get their apps from.
Since you can open that up, it means there's more possibility for really malware to get into the
phone, things that are doing things the user doesn't want on their device.
And there's lots of that for Android, things that are basically, you know, they look like one thing,
but they're another. They sort of act like a Trojan horse. You're installing it because it's
a flashlight app. It's a flashlight app that also has access to, you know, record audio or read your
SMS messages. Those are the kind of things that have made their way onto Android devices, but
typically wouldn't make their way through the Play Store.
The Google Play Store has techniques in place.
They have algorithms.
They have engineers as well who are working to sort of bounce things out of the Play Store when they're coming in.
In Apple's case, everything has to go through the Apple App Store.
And Apple's very conscious of the fact that malicious stuff getting in their
App Store would have a negative impact for them. So they work really hard to keep it clean. That
doesn't mean there's never been anything bad in either one of these stores. In the App Store and
others, we've seen malicious activity occur. But it does mean we see different attacks. The most
common attacks that we see against Apple users, against iOS users, aren't technical attacks that are using malware, exploiting vulnerabilities.
They're really just phishing attacks.
Phishing attacks that trick people into giving up their Apple ID, their username, and their password for their Apple account, which now that they have all of their – potentially their email, maybe their passwords, all sorts of other information stored in the cloud that Apple operates,
protecting that, those credentials are extremely important.
So don't talk to strangers and stay out of bad neighborhoods.
That is generally good advice.
And patch your stuff.
That's also important.
Our thanks to Ryan Olson from Palo Alto Networks for joining us.
You can find out more about the Android Toast overlay attack on Palo Alto's Unit 42 blog.
There's a video there that demonstrates the attack as well.
You can check it out on their website.
Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening.