Research Saturday 10.7.17
Ep 4 | 10.7.17

Android Toast Overlay: Ryan Olson from Palo Alto Networks.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday.

Dave Bittner: [00:00:07] I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:23] I'd like to tell you a little bit about our sponsor, Cybrary, the people who know how to empower your security team. Cybrary is the learning and assessment tool of choice for IT and security teams at today's top companies. They deliver the kind of hands on training fifty-five percent of enterprises say is the most important qualification when they're hiring. And once you hire, you want to retain. And Cybrary helps there too, because seventy percent of employees say professional development is a big reason for staying on board. Visit and see what they can do for your organization. Not only is it effective, it's affordable too, costing just about a 12th of what legacy approaches to training would set you back. So contact Cybrary for a demo. That's, and tell them the CyberWire sent you.

Ryan Olson: [00:01:20] So the Toast Overlay attack that we reported to Google earlier this year, and they recently patched, is a traditional overlay attack.

Dave Bittner: [00:01:28] That's Ryan Olson. He's the director of threat intelligence at Palo Alto Networks.

Ryan Olson: [00:01:33] With an overlay attack the goal of the attacker is to try and display something over another application to trick you into doing something that you don't think you're doing. So to give you an example, you might display a fake screen over another application in your phone which is sort of, uh, it's visible to you. But if you were to touch it, you're sort of pressing through it. So if you could imagine you wanted to trick somebody into clicking 'accept' on a dialogue, you could display a fake dialogue over that which said, you know, do you want to like something on Facebook. When really what you're doing is agreeing to give somebody access to some permissions on your phone.

Ryan Olson: [00:02:10] That's generally the idea around an overlay. It's displaying something over the regular interface to either take control or to trick the user in some way.

Dave Bittner: [00:02:19] Is an overlay attack something that's widely found? Is this something that's specific to Android, or would you find this on a desktop browser, or maybe on an iOS device?

Ryan Olson: [00:02:28] So technically the vulnerability, that kind of vulnerability or that kind of attack, could exist on lots of different devices, but we haven't seen it in a lot of other platforms. Generally on something like a desktop, you don't have the same kind of complete sort of one-app view that you're looking at, where an attacker is going to be able to trick you into thinking that another app is being displayed at the moment. It really just comes down to certain UI things that an operating system allows, which are typically to help the user in one way or another. In this case they're just being abused by an attacker.

Dave Bittner: [00:03:00] So take us through this particular kind of overlay.

Ryan Olson: [00:03:02] In this case, the research started, we have a researcher in our company, his name's Cong Zheng, and he was actually looking into this paper that had been written by some folks at Georgia Tech and UCSD that was published earlier this year. And they called it "Cloak and Dagger." And the idea behind the paper was that through getting a small number of permissions on an Android device you could launch an overlay attack that could then be used to gain basically full access to the phone.

Ryan Olson: [00:03:30] The idea is if you can get an overlay that is overlaying the accessibility feature, the accessibility service inside Android is this thing that's there to help, basically, one app help another app do things for people who have some sort of disability. There's lots of different ways that accessibility is used. Once you've done that though, once you have the accessibility feature, you can overlay pretty much anything that's happening inside the application. There's not a lot of these that have the service available. And with that, you can then trick someone into doing all sorts of things, like setting that application as device administrator on your phone.

Ryan Olson: [00:04:04] And once somebody, once an application as device administrator access they can do pretty much anything they want. That's intended for like, a corporation to install some sort of control application to ensure that they can, you know, encrypt data, remove data, destroy, wipe the phone if they want to, reset the passcode. What they described in Cloak and Dagger was that, if an application basically had the small number of permissions, and had come from the Android app store, you could create an overlay attack that tricked someone into going down that road, going down that road enabling device administrator.

Ryan Olson: [00:04:37] The difference in what Cong found, was that he found a way to launch this attack using a Toast overlay--I'll describe what that is in a second--that didn't really require any permissions at all. If you got an Android app on your phone in any way, you would be able to successfully create overlays that trick someone into going all the way down that road to allowing that application to be device administrator, which opened the vulnerability up a little bit more broadly than what had been described in the Cloak and Dagger paper originally.

Dave Bittner: [00:05:08] Wow. All right. So take us through, how did it work?

Ryan Olson: [00:05:11] So a Toast Overlay, and overlays in general, are basically just writing over another application. The Toast Overlay in Android is one that people probably see pretty frequently. The idea is that it's an overlay that just briefly pops up and then disappears, like a piece of toast popping out of a toaster and then dropping back down in. Those are used for, for instance, you might be writing an email and you don't click send but you leave the application, and the e-mail app says, hey, you know you didn't send that e-mail. It might want to display that after you've left the application. It might want to pop up a little toast at the bottom of the window just to say, hey, by the way, you didn't actually send that.

Ryan Olson: [00:05:47] And that's a usability feature in Android; it's something to allow that app to tell you something even though at that point you've already left their app. It's a way for them just to give you, just sort of this brief notification that shows up over another app. And in different versions of Android, Google has put in protections to prevent people from abusing all kinds of overlays, but specifically the Toast Overlay. The Toast Overlay can only last for a small amount of time. You can't click on them, they can't grab your actual, your touch preferences. And because of that, different versions of Androids were impacted differently by this vulnerability.

Ryan Olson: [00:06:20] What Cong figured out, is that by basically creating a whole bunch of loops, he could display a whole bunch of Toast Overlays in different portions of the screens that all align with each other, and could guide a user into going and clicking on, hey, let's enable device administrator. And if they did that, the attacker, if they had actually launched an attack using this technique, they would have been able to get complete control over the phone.

Dave Bittner: [00:06:43] So instead of having a small pop-up, say at the bottom of the screen, by using a series of pop-ups sort of woven together, they take over the whole screen?

Ryan Olson: [00:06:53] Exactly. So a series of pop-ups woven together, all looping over and over again, because a Toast Overlay can only last for a small amount of time. But by carefully crafting these all together, you can basically cover any portion of the screen that you want to. There's different limits on how big Toast Overlays can be, but if you get enough of them going at one time they effectively become one screen to the user.

Dave Bittner: [00:07:16] And it's seamless enough that it doesn't look like your screen is flickering or you have some sort of patchwork flashing in and out?

Ryan Olson: [00:07:22] Indeed. So we actually published a video when we wrote this blog and, because we wanted to make sure that people get to see this is actually what it looks like. And we did that using a screen recording on an Android actual, an Android device so you could see this is how it's going to appear. And if you go and watch that, it really becomes clear that there's really no way that you would have been able to tell that something strange was going on. The app itself that we created for this is not especially pretty, but a sophisticated attacker could make something that was a lot prettier if they wanted to do that.

Dave Bittner: [00:07:50] So what would be an example of what someone would want to use this for?

Ryan Olson: [00:07:55] So device administrator access is obviously a great goal to have for an Android attacker because you could lock the device if you want to, which is great for ransomware. So if I want to take over somebody's device and then prevent them from accessing it, display a message to them that says, hey, I've changed your lock password, pay me, you know, half a bitcoin and I'll give it back to you. That's a great technique that might be useful for just holding that device for ransom.

Ryan Olson: [00:08:20] In the same way, you can, with device administrator privileges, it gives you more access to more data on the device. You have the ability to go and read common storage, you could potentially access other kinds of sensitive information. The one I expect most people will probably be impacted by though, is going to be ransomware. If they, some sort of ransomware attack, if they do succumb to one of these overlays.

Dave Bittner: [00:08:44] Now this is, been patched for the latest release of Android, but it does affect older operating systems.

Ryan Olson: [00:08:51] So when we first discovered it, it had already been patched in Android 8. So they'd already basically created a new permission check that would stop these kind of overlays from being able to get you to the point of getting device administrator access. It was still existent in Android 4, 5, 6, and 7 though. So Google made patches now so that the latest versions of each of those major lines of Android basically have a check in them to ensure that a Toast Overlay couldn't be displayed in a way that would allow someone to get to device administrator. That's the main change that they made. Obviously it's still possible to display these kinds of pop ups. People could potentially do some suspicious things, but the majority of the impact is greatly mitigated.

Dave Bittner: [00:09:33] And so is this still just a researcher proof of concept? Has there been any sign of an attack like this being used in the wild?

Ryan Olson: [00:09:40] There have been overlay attacks that have occurred, we haven't seen any that have particularly been using this technique. So there haven't been sort of a wave of these that popped out after we published our research and talked about the fact that Google had patched it. That's a good thing. We don't want to see attackers pick up the kind of techniques that researchers are discovering. But it is something that might happen in the next few months.

Dave Bittner: [00:10:04] What's the process for you as researchers to release these sort of things? Because there is the potential that when you come up with some clever attack, then you know, and you publish about it, then certainly the bad guys can use it. Obviously you're informing Google ahead of time, but there's still a lot of unpatched systems out there.

Ryan Olson: [00:10:21] Certainly. So generally the process is referred to as responsible disclosure, which is the opposite of full disclosure, which is also the name of a really popular mailing list. But with full disclosure, you just release everything into the public as soon as you want to without giving advance notice, or maybe after advance notice but before there's been a patch released. Obviously there's negative consequences of that.

Ryan Olson: [00:10:44] There are certainly reasons people might want to perform a full disclosure, but generally the practice followed in the security community is responsible disclosure, which means notifying the vendor who's responsible for the product in advance, allowing them a reasonable amount of time to actually patch it, patch whatever the vulnerability is, and then not disclosing that the vulnerability existed until that patch has been rolled out.

Ryan Olson: [00:11:07] For us, this gets a little bit complicated when you have something like Android, because Android devices, patches get rolled through Google into Android itself, and then they have to go through various phone OEMs, through the vendors themselves who make small changes to the devices, and those have to make their way to the devices themselves. So there's a slightly slower chain when it comes to a device like an Android device. When it comes to other kinds of software, it can be simpler depending on how their update chain works.

Ryan Olson: [00:11:38] But our goal always in working to describe these techniques is two things: one, we want to educate people that these kinds of things are possible. They exist. People should be aware that sometimes, if you're not updating your device, if you're not keeping it up to date, just because you're using a mobile device when you haven't experienced any malware in the past it doesn't mean you're not going to in the future. And second, help get these things closed before people are actually taking advantage of them. If we didn't disclose it to Google, we just thought, you know, nobody's going to do anything about this. Then it would stay open and an attacker might pick it up and go start launching overlay attacks against people.

Dave Bittner: [00:12:12] And so what's your advice for folks to protect themselves against this?

Ryan Olson: [00:12:16] The best thing you can do is update your phone to the latest version of the Android OS. Which is something you should do anyway. Updates are one of those things that are basic sort of hygiene for any kind of device. Update your laptop, update your tablet, update your phone. Installing those updates, while for some people they might appear to be sort of a pain because, you know, your phone has to reboot and all this stuff, they really are a valuable thing to install. They make your phones safer, and your phone contains some of the most important data you have, and you should treat it as such.

Dave Bittner: [00:12:46] You know my perception comparing Android to iOS is that obviously there's two sides to this, you know, Android gives you more control and you can customize your experience more than you can perhaps on iOS. But the flip side I think is that we see fewer of these attacks on the iOS side. That's my perception. Is that an accurate perception?

Ryan Olson: [00:13:06] We definitely see different kinds of attacks against Android and against iOS. So because Android, Google does allow users to install things from outside the Google Play Store, which is where most people at least in the United States get their apps from, since you can open that up it means there's more possibility for really, malware to get into the phone. Things that are doing things the user doesn't want on their device. And there's lots of that for Android. Things that are basically, you know, they look like one thing but they are another. They sort of act like a Trojan horse. You're installing it because it's a flashlight app, it's a flashlight app that also has access to, you know, record audio or read your SMS messages.

Ryan Olson: [00:13:45] Those are the kind of things that have made their way onto Android devices, but typically wouldn't make their way through the Play Store. The Google Play Store has techniques in place, they have algorithms, they have engineers as well who are working to sort of bounce things out of the play store when they're coming in.

Ryan Olson: [00:14:02] In Apple's case everything has to go through the Apple App Store. And Apple's very conscious of the fact that malicious stuff getting in their App Store would have a negative impact for them, so they work really hard to keep it clean.

Ryan Olson: [00:14:16] That doesn't mean there's never been anything bad in either one of these stores. In the App Store and others, we've seen malicious activity occur, but it doesn't mean we see different attacks. The most common attacks that we see against Apple users, against iOS users, aren't technical attacks that are using malware, exploiting vulnerabilities. They're really just phishing attacks. Phishing attacks to trick people into giving up their Apple ID, their username and their password for their Apple account, which now that they have all of their, potentially their email, maybe their passwords, all sorts of other information stored in this, in the cloud that Apple operates, protecting that those credentials are extremely important.

Dave Bittner: [00:14:54] So don't talk to strangers and stay out of bad neighborhoods.

Ryan Olson: [00:14:57] That is generally good advice, uh, and patch your stuff. That's also important.

Dave Bittner: [00:15:07] Our thanks to Ryan Olson from Palo Alto Networks for joining us. You can find out more about the Android Toast Overlay attack on Palo Alto's Unit 42 blog. There's a video there that demonstrates the attack as well. You can check it out on their website.

Dave Bittner: [00:15:21] And thanks again to our sponsor Cybrary for making this edition of Research Saturday possible. Visit, and see what they can do for your organization. Don't forget to check out our CyberWire Daily News Brief and podcast, along with interviews, our glossary, and more on our Web site The CyberWire Research Saturday is produced by Pratt Street Media. Our coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.