Toast Overlay attacks, a Cloak and Dagger with No Permissions, fixed by Google

Google just fixed a high-severity Android vulnerability, tracked as CVE-2017-0752, that ties with the Toast Overlay attacks.

Security researchers with Palo Alto Networks Unit 42, warned of a high-severity Android vulnerability, tracked as CVE-2017-0752, that ties with the “toast attack” overlay vulnerability.

The experts reported that it is possible to abuse Android’s toast notification, a feature that is used to provide feedback about an operation in a small short-lived pop up notification, to obtain admin rights on targeted phones and take over the device.

The vulnerability affects all versions of the Android operating system prior to the latest Android 8.0, (Oreo), nearly all Android users.

“What our researchers have found is a vulnerability that can be used to more easily enable an “overlay attack,” a type of attack that is already known on the Android platform. This type of attack is most likely to be used to get malicious software on the user’s Android device.” reads the analysis published by Palo Alto Networks. “This type of attack can also be used to give malicious software total control over the device. In a worst-case attack scenario, this vulnerability could be used to render the phone unusable (i.e., a “brick”) or to install any kind of malware including (but not limited to) ransomware or information stealers. In simplest terms, this vulnerability could be used to take control of devices, lock devices and steal information after it is attacked.”

The toast attack is exploitable for “overlay” attacks on Android phones, attackers use them to create a UI overlay to be displayed on top of legitimate Android applications and trick victims into providing sensitive information or clicking confirmation buttons.


The overlay attack can also be exploited to trigger a denial-of-service condition by creating a toast window that overlays an entire screen of the mobile device.

A toast-type overlay is similar to the Cloak and Dagger attack method that was discovered earlier this year.

“Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified. Our user study indicates that these attacks are practical. These attacks affect all recent versions of Android (including the latest version, Android 7.1.2), and they are yet to be fixed.” states the researchers.

Cloak and Dagger attacks abuse the following basic Android permissions:

  • SYSTEM_ALERT_WINDOW (“draw on top”) – is a legitimate overlay feature that allows apps to overlap on a device’s screen and top of other apps.
  • BIND_ACCESSIBILITY_SERVICE (“a11y”) – is a permission designed to help disabled users, allowing them to enter inputs using voice commands, or listen content using screen reader feature.

The Toast overlay attacks are quite similar but do not require specific Android permissions to be granted by users.

“Overlay attacks permit an attacker to draw on top of other windows and apps running on the affected device. To launch such an attack, malware normally needs to request the “draw on top” permission” reads the analysis from PaloAlto Networks.

“This newly discovered overlay attack does not require any specific permissions or conditions to be effective. Malware launching this attack does not need to possess the overlay permission or to be installed from Google Play. With this new overlay attack, malware can entice users to enable the Android Accessibility Service and grant the Device Administrator privilege or perform other dangerous actions,”

The Google’s September Android Security Bulletin already addresses the CVE-2017-0752 flaw.

[adrotate banner=”9″]

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase