The ‘high-severity’ bug could allow malicious apps to take over a device by drawing a false window – but Android 8.0 Oreo isn’t affected
Most Android users are vulnerable to a newly disclosed type of attack that could give hackers full control over a device, according to researchers.
The ‘high-severity’ flaw has been fixed in Google’s September release of Android patches, and it doesn’t affect the latest operating system release, Android 8.0 Oreo, according to Palo Alto Networks.
Most users affected
But it affects all versions prior to 8.0, meaning nearly all Android users are vulnerable.
“Since Android 8.0 is a relatively recent release, this means that nearly all Android users should take action today and apply updates that are available to address this vulnerability,” the company said in an advisory.
The exploit involves a type of ‘overlay attack’, in which a malicious window is drawn on top of a legitimate program. Such an attack can be used to trick users into giving the program full control of the device, or it can effectively lock the device by blocking access to the screen, with no way of removing it.
Once a program is granted full privileges it can install software such as ransomware or programs that aim to steal data, Palo Alto said.
“This vulnerability could be used to take control of devices, lock devices and steal information after it is attacked,” the company said.
‘Toast’ overlay attack
Previously it was thought overlay attacks could only work if they were installed from Google’s Play Store and explicitly requested the ‘draw on top’ permission when installed, Palo Alto said.
But its research found the same type of attack can be carried out using a pop-up window feature called ‘Toast’. The Toast overlay attack doesn’t require the user to grant a specific permission, and works on applications installed from third-party app stores.
“Our researchers have outlined how it’s possible to create a Toast window that overlays the entire screen, so it’s possible to use Toast to create the functional equivalent of regular app windows,” Palo Alto wrote.
The firm advised users to obtain the patch from their device vendor or update to Android 8.0.
Google’s official Play Store is considered more secure than third-party application outlets, but apps infected with malicious code are regularly found there, too.
What do you know about the history of mobile messaging? Find out with our quiz!