My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets




A vulnerability in the system of Android overlays (windows that are displayed on top of other objects). It allows cybercriminals to create screen objects that are displayed on top of other interface elements of the operating system and applications. This vulnerability poses a threat to all devices running Android starting from version 4.3 and up to 8.0. Usually, to create any visual forms on top of other windows, an application needs to request an OS for the corresponding permission. However, the ToastOverlay vulnerability allows to do it without any additional requests. In theory, cybercriminals can use ToastOverlay to display phishing windows, block stable device operation, use deceptive means to make a user provide them with administrator privileges, or perform any other potentially dangerous actions.

If Dr.Web for Android has detected this vulnerability, it is strongly recommended that you contact the device manufacturer to get necessary updates for the operating system.

Technical details

The ToastOverlay vulnerability allows to create screen objects on top of other interface elements even if an application which uses this vulnerability is installed not from Google Play and has only one permission: BIND_ACCESSIBILITY_SERVICE. Android uses the TYPE_TOAST windows, that represent one of the standard overlay types, to display short messages on top of other windows. The ToastOverlay vulnerability allows to display the TYPE_TOAST window on top of other interface elements without the SYSTEM_ALERT_WINDOW request, which usually requires to be sent to the operating system and processed there. Thus, cybercriminals can display the TYPE_TOAST window on the vulnerable device without any additional privileges and track screen taps. The vulnerability is linked with the lack of permission check in the component Android AOSP. Commonly, the permission check and operation check are performed in order to display screen objects on top of other interface elements. However, they are not performed for the TYPE_TOAST windows, and the request is processed automatically. Due to this, the application, which uses the vulnerability, gains full control over the TYPE_TOAST window. The correct check of the access permissions was implemented only in Android 8.0. The following Android versions are subject to this vulnerability: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, and 7.1.2.

See also information about other vulnerabilities

© Doctor Web
2003 — 2023

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies