TOASTAMIGO – the first known strain of malware that uses the Toast Overlay exploit

Trend Micro spotted TOASTAMIGO, the first known malware that uses the recently patched vulnerability that ties with the Toast Overlay attacks.

Malware researchers at Trend Micro have spotted the first known strain of malware that triggers the recently patched vulnerability, tracked as CVE-2017-0752, that ties with the Toast Overlay attacks.

The vulnerability was discovered in September by security researchers with Palo Alto Networks Unit 42.

The experts reported that it is possible to abuse Android’s toast notification, a feature that is used to provide feedback about an operation in a small short-lived pop up notification, to obtain admin rights on targeted phones and take over the device.

The vulnerability affects all versions of the Android operating system prior to the latest Android 8.0, (Oreo), nearly all Android users.

“What our researchers have found is a vulnerability that can be used to more easily enable an “overlay attack,” a type of attack that is already known on the Android platform. This type of attack is most likely to be used to get malicious software on the user’s Android device.” reads the analysis published by Palo Alto Networks. “This type of attack can also be used to give malicious software total control over the device. In a worst-case attack scenario, this vulnerability could be used to render the phone unusable (i.e., a “brick”) or to install any kind of malware including (but not limited to) ransomware or information stealers. In simplest terms, this vulnerability could be used to take control of devices, lock devices and steal information after it is attacked.”

The toast attack is exploitable for “overlay” attacks on Android phones, attackers use them to create a UI overlay to be displayed on top of legitimate Android applications and trick victims into providing sensitive information or clicking confirmation buttons.


Google fixed the flaw in its monthly Android security updates.

This week, Trend Micro experts reported seeing the first piece of malware exploiting the Toast overlay flaw, for this reason, it was dubbed TOASTAMIGO. The Android malware was disguised as apps named Smart AppLocker that had been available on Google Play, it has been downloaded hundreds of thousands of times before Google removed it.

The TOASTAMIGO app claims to secure devices with a PIN code, but once the victim installed it, the app requests Accessibility permissions and inform the user that they need to scan the phone for unsecure apps. The malware uses the Toast exploit to display a progress screen for the “scan,” while it executes commands from the attackers in background and installs a second-stage malware named by Trend Micro AMIGOCLICKER.

“The malware ironically pose as legitimate app lockers that supposedly secure the device’s applications with a PIN code. Upon installation, these apps will notify the user that they need to be granted Accessibility permissions for it to work. It’s all a ruse to sidestep Android’s countermeasure that requires apps to have explicit user permission.” states Trend Micro. “After granting permissions, the apps will launch a window to purportedly “analyze” the apps. Behind the scenes, however, the apps carry out actions or commands, including the installation of a second malware (since it already has the permissions).”

TOASTAMIGO also implements features to prevent its removal by security software. AMIGOCLICKER is able to collect Google accounts and perform other actions, including click on buttons in system dialogs, click on Facebook ads, and give itself a five-star rating on Google Play.

“The miscellany of the malware’s malicious functionalities, combined with a relatively unique attack vector, makes them credible threats. In fact, the aforementioned functionalities can actually be modified for further cyberattacks,” Trend Micro researchers said in a blog post. “Since TOASTAMIGO and AMIGOCLICKER can misuse Android’s Accessibility feature to virtually do anything, this malware can update itself when getting the remote server’s commands.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Toast Overlay attacks, Toastamigo app)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

MediSecure data breach impacted 12.9 million individuals

Personal and health information of 12.9 million individuals was exposed in a ransomware attack on…

1 hour ago

CrowdStrike update epic fail crashed Windows systems worldwide

Windows machines worldwide displayed BSoD screen following a faulty update pushed out by cybersecurity firm…

7 hours ago

Cisco fixed a critical flaw in Security Email Gateway that could allow attackers to add root users

Cisco has addressed a critical vulnerability that could allow attackers to add new root users…

13 hours ago

SAPwned flaws in SAP AI core could expose customers’ data

Researchers discovered security flaws in SAP AI Core cloud-based platform that could expose customers' data. Cybersecurity researchers…

1 day ago

Cybercrime group FIN7 advertises new EDR bypass tool on hacking forums

The cybercrime group FIN7 is advertising a security evasion tool in multiple underground forums, cybersecurity…

1 day ago

How to Protect Privacy and Build Secure AI Products

AI systems are transforming technology and driving innovation across industries. How to protect privacy and…

2 days ago

This website uses cookies.