Patch your Android or run Oreo, or you might OK your own pwnage | #android | #security

Researchers revealed a new high-severity vulnerability affecting the Google Android platform that could result in users actually agreeing for their Androids to be pwned.

While no one in their right mind would do that on purpose, they might do it on accident, since it is an overlay attack. What the user sees on the screen, such a “continue” button, might not be what they actually tapped OK for.  Underneath that overlay, they might have fallen for some slick tricks and just given malware admin rights to take control of the phone. Ugh, facepalm.

Palo Alto Networks Unit 42 explained:

Overlay attacks permit an attacker to draw on top of other windows and apps running on the affected device. To launch such an attack, malware normally needs to request the “draw on top” permission. However, this newly discovered overlay attack does not require any specific permissions or conditions to be effective. Malware launching this attack does not need to possess the overlay permission or to be installed from Google Play.

With this new overlay attack, malware can entice users to enable the Android Accessibility Service and grant the Device Administrator privilege or perform other dangerous actions. If these privileges are granted, a number of powerful attacks can be launched on the device, including stealing credentials, installing apps silently, and locking the device for the ransom.

Palo Alto warned that the vulnerability exploits an Android feature called Toast. The researchers added:

“Toast” is a type of notification window that “pops” (like toast) on the screen. “Toast” is typically used to display messages and notifications over other apps.

Unlike other window types in Android, Toast doesn’t require the same permissions, and so the mitigating factors that applied to previous overlay attacks don’t apply here. Additionally, our researchers have outlined how it’s possible to create a Toast window that overlays the entire screen, so it’s possible to use Toast to create the functional equivalent of regular app windows.

What Android devices are vulnerable to Toast attack?

Pretty much all Androids — unless the device is running the newest mobile OS Android 8.0, which is “immune from these attacks ‘out of the box.’” The researchers noted, “Most people who run Android run versions that are vulnerable. This means that it’s critical for all Android users on versions before 8.0 to get updates for their devices.”

Patch or run Android 8.0 Oreo

The patch for this severe vulnerability is part of the September Android Security Bulletin. If you depend upon your wireless carrier to deploy patches for your phone, then perhaps consider calling and hounding them about when the over-the-air update will roll out.

Copyright © 2017 IDG Communications, Inc.

Original Source link

Leave a Reply

Your email address will not be published.

− five = 4