A few months back, an Android toast overlay message exploit abused the toast overlay system to craft a full-screen overlay pushed through the toast notification itself. This allowed a malicious attacker to craft a UI window through a toast overlay which made users unknowingly enable administrator access for an application or enable accessibility services for the application. Now, it seems, this overlay exploit attack has been found in the Google Play Store, with the attack detected as ANDROIDOS_TOASTAMIGO by TrendMicro. The exploit, found in the Google Play Store, was found in many applications including one with over 500,000 downloads as of November 6th, 2017.
Toastamigo is the first weaponisation of the concept and it affects all versions of Android except for Android Oreo and devices which have received the September 2017 or later security patch. Asking users to grant accessibility service access, the applications in question then used the exploit to draw an “analysing apps” overlay over the screen as it began to grant itself administrator access and install another application on the device dubbed Clickamigo, by formulating tap actions using the accessibility service granted. This works because the user does not need to grant window overlay access so the regular user won’t notice if anything seems malicious.
Clickamigo seems to be the main purpose of the attack. Loading ad networks and using a proxy server when they don’t load, Clickamigo simply clicks AdMob or Facebook ads to make the original creator of the application a profit. The application then protects itself through similar methods of giving itself administrator access and accessibility service access, along with disabling mobile security apps on the device and even rating itself on the Google Play Store.
It just goes to show that just because an application is available in the Play Store, it does not mean that it is safe. Users should still be careful of the applications they install and use.