Categories: Security

All Android Versions Except Oreo Affected By ‘Critical’ Security Flaw

Most Android users are vulnerable to a newly disclosed type of attack that could give hackers full control over a device, according to researchers.

The ‘high-severity’ flaw has been fixed in Google’s September release of Android patches, and it doesn’t affect the latest operating system release, Android 8.0 Oreo, according to Palo Alto Networks.

Most users affected

But it affects all versions prior to 8.0, meaning nearly all Android users are vulnerable.

“Since Android 8.0 is a relatively recent release, this means that nearly all Android users should take action today and apply updates that are available to address this vulnerability,” the company said in an advisory.

The exploit involves a type of ‘overlay attack’, in which a malicious window is drawn on top of a legitimate program. Such an attack can be used to trick users into giving the program full control of the device, or it can effectively lock the device by blocking access to the screen, with no way of removing it.

Once a program is granted full privileges it can install software such as ransomware or programs that aim to steal data, Palo Alto said.

“This vulnerability could be used to take control of devices, lock devices and steal information after it is attacked,” the company said.

Loading ...

‘Toast’ overlay attack

Previously it was thought overlay attacks could only work if they were installed from Google’s Play Store and explicitly requested the ‘draw on top’ permission when installed, Palo Alto said.

But its research found the same type of attack can be carried out using a pop-up window feature called ‘Toast’. The Toast overlay attack doesn’t require the user to grant a specific permission, and works on applications installed from third-party app stores.

“Our researchers have outlined how it’s possible to create a Toast window that overlays the entire screen, so it’s possible to use Toast to create the functional equivalent of regular app windows,” Palo Alto wrote.

The firm advised users to obtain the patch from their device vendor or update to Android 8.0.

Google’s official Play Store is considered more secure than third-party application outlets, but apps infected with malicious code are regularly found there, too.

What do you know about the history of mobile messaging? Find out with our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago