Sunday, December 3, 2023

All Android Version Except 8.0/Oreo are Vulnerable to Toast Overlay Malware Attack

A First Android malware called TOASTAMIGO has been discovered that capable of installing other malware into infected devices using Toast Overlay attack.

Overlay attacks allow an attacker to draw on top of other windows and apps running on the affected device. With this recently found overlay assault does not require a particular permissions or conditions to be compelling.

Few months before the same attack has been discovered via Cloak & Dagger Attack 

Old Toast Overlay attack could abuse Android’s Accessibility features and leads to generate ad clicks to generate revenue and to install apps. But this one is capable of installing malware and other malicious activities.

This TOASTAMIGO Malware will entail a layer on top of the Android app, window or process that leads to trick the victims by an attacker to click the fake overlay button instead of legitimate app or window.

In this case, TOASTAMIGO Toast Overlay Attack weaponize to download and install other malware by applying the fake layer to victim Android Screen.

All the Android version are affected Except(8.0/Oreo) by this Toast Overlay Attack. So before Android Oreo version users are urged to update the latest patch for this attack.

How Does this Toast Overlay attack Works

An Android app that belongs to app lockers has discovered from Google play store has asking accessibility permission to work.

Once Permission has been granted by the user then apps will launch a window to purportedly “analyze” the apps.

Since it already has the permission, behind of this process it downloads and installs the second malware.

This Malware app is completely packed before published into Google play store.

There are two apps were discovered from Google play store and according to the package, structure analysis confirmed that both apps were created by the same developer. Trend Micro Detected this malware as ANDROIDOS_TOASTAMIGO.

According to Trend Micro Report, The Toast Overlay attack is carried out when the apps purportedly note that it’s “analyzing the unprotected apps.”
To launch an overlay attack, malicious apps will typically request the “draw on top” permission; this has been the case with Android versions up to 6.0 (Marshmallow), and if installed from Google Play, they are exempted

To Bypass the various warning dialog’s from different android version, it has some malicious function in the source code doBackgroudTask.getInstance((Context)this    will helps to the execution of certain tasks in the background.

Combination of this unique attack vector by this Toast Overlay attack, infected Android device can be victimized to anything through communicating to C&C server and update itself for getting new futures.

This Malware has some interesting future that will be executed in the background of the Android window.

  • Download a specified Android application package (APK)
  • force_stop_MC: Forcibly stop mobile security apps
  • bgAsprotectDialog: Prepare actions for dialog prompts, such as “Unknown sources”
  • bgAutoInstallPage_4: Install an APK via Accessibility
  • Accessibility: Open the Accessibility permission for the other APK
  • bgGpAutoProtect: Keep itself from being uninstalled
  • bgAsprotectDialog and bgAsprotectPage_4: Keep its Accessibility permission

Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles