Toast Overlay attack

A First Android malware called TOASTAMIGO has been discovered that capable of installing other malware into infected devices using Toast Overlay attack.

Overlay attacks allow an attacker to draw on top of other windows and apps running on the affected device. With this recently found overlay assault does not require a particular permissions or conditions to be compelling.

Few months before the same attack has been discovered via Cloak & Dagger Attack 

Old Toast Overlay attack could abuse Android’s Accessibility features and leads to generate ad clicks to generate revenue and to install apps. But this one is capable of installing malware and other malicious activities.

This TOASTAMIGO Malware will entail a layer on top of the Android app, window or process that leads to trick the victims by an attacker to click the fake overlay button instead of legitimate app or window.

In this case, TOASTAMIGO Toast Overlay Attack weaponize to download and install other malware by applying the fake layer to victim Android Screen.

All the Android version are affected Except(8.0/Oreo) by this Toast Overlay Attack. So before Android Oreo version users are urged to update the latest patch for this attack.

How Does this Toast Overlay attack Works

An Android app that belongs to app lockers has discovered from Google play store has asking accessibility permission to work.

Once Permission has been granted by the user then apps will launch a window to purportedly “analyze” the apps.

Since it already has the permission, behind of this process it downloads and installs the second malware.

This Malware app is completely packed before published into Google play store.

There are two apps were discovered from Google play store and according to the package, structure analysis confirmed that both apps were created by the same developer. Trend Micro Detected this malware as ANDROIDOS_TOASTAMIGO.

According to Trend Micro Report, The Toast Overlay attack is carried out when the apps purportedly note that it’s “analyzing the unprotected apps.”
To launch an overlay attack, malicious apps will typically request the “draw on top” permission; this has been the case with Android versions up to 6.0 (Marshmallow), and if installed from Google Play, they are exempted

To Bypass the various warning dialog’s from different android version, it has some malicious function in the source code doBackgroudTask.getInstance((Context)this    will helps to the execution of certain tasks in the background.

Combination of this unique attack vector by this Toast Overlay attack, infected Android device can be victimized to anything through communicating to C&C server and update itself for getting new futures.

This Malware has some interesting future that will be executed in the background of the Android window.

  • com.photos.android.helper: Download a specified Android application package (APK)
  • force_stop_MC: Forcibly stop mobile security apps
  • bgAsprotectDialog: Prepare actions for dialog prompts, such as “Unknown sources”
  • bgAutoInstallPage_4: Install an APK via Accessibility
  • Accessibility: Open the Accessibility permission for the other APK
  • bgGpAutoProtect: Keep itself from being uninstalled
  • bgAsprotectDialog and bgAsprotectPage_4: Keep its Accessibility permission