Experts from Palo Alto Networks talked about a new attack on Android-devices using pop-up notifications Toast Notification. Most of the most popular mobile malware in the last few years have used it to gain full control over the attacked device.

The principle of attack is to make the victim during the installation process give malware the right to display the content on top of other applications. Having received the necessary right, the malware displays pop-up windows with the request to confirm some messages or perform certain actions. In fact, the application asks access to Accessibility Service, "covering" the "Activate" button with harmless pop-up notifications. Similarly, malware displays fake content over pop-up messages that grant administrator rights.

The above method has been used by intruders for at least two years, but was first described in detail in a study by Cloak & Dagger conducted by scientists at the University of California at Santa Barbara and the Georgia Institute of Technology. Since then, this type of attack is called - Cloak & Dagger.

Inspired by the report of colleagues, experts from Palo Alto Networks decided to explore other ways to implement Cloak & Dagger. In particular, they focused their attention on Toast Notification - the rapidly disappearing notifications at the bottom of the screen.

Toast Notification is very convenient for the attack of Cloak & Dagger, because by nature they are displayed on top of any application and relieve attackers from having to request the right to display one content on top of another.

Now, attackers just need to get the victim to install a malicious application on their device. They can request administrator privileges to access AccessibilityService by hiding the "Activate" button after notifying Toast Notification.

This vulnerability, called CVE-2017-0752, was fixed on Tuesday, September 5, with the release of planned updates for Android. The problem affects all versions of the OS except Android 8. 0 Oreo.