News broke over the weekend that Google was instructing Android developers that don’t use Accessibility Services for its intended purpose to strip away that functionality from apps. It has now surfaced that this change is related to a “toast overlay” attack that tricks users into installing malware by masking parts of the interface.
According to TrendMicro, malicious applications can superimpose “images over other apps and certain parts of the device’s controls and settings.” The intended goal is to trick users into installing malware and other nefarious payloads to permit auto-updating.
An image of a seemingly benign “OK” or “Continue Installation” icon, for instance, can be displayed over a hidden button that will surreptitiously grant it device privileges. It can also be used to install a malicious information-stealing app—or even hijack the screen and lock the user out ala ransomware.
The security firm found several apps that took advantage of this vulnerability on the Play Store, with Google removing them after being informed.
One app taking advantage of this vulnerability had 500,000 installs as of last week. Since removed, “Smart AppLocker” enabled “ad-clicking, app-installing and self-protecting/persistence capabilities.”
All versions of Android, save for 8.0 Oreo, are affected, though Google released a patch with the September Security Bulletin. Meanwhile, many apps, like Action Launcher, are updating their apps to remove their various uses of the Accessibility Services.