Android permission is a system of safeguards designed to restrict access to potentially sensitive data
and privileged components. While third-party applications are restricted from accessing privileged resources
without appropriate permissions, mobile browsers are treated by Android OS differently. Android mobile
browsers are the privileged applications that have access to sensitive data based on the permissions implicitly
granted to them.
In this research, we present a novel attack approach that allows a zero-permission app to access sensitive
data and privileged resources using mobile browsers as a proxy with the aid of toast overlay. We demonstrate
the effectiveness of our proxy attack on 8 mobile browsers across 12 Android devices ranging from Android 8.1
to Android 13. Our findings show that all current versions of Android mobile browsers are susceptible to this
attack. Despite Android touch prevention mechanisms for external apps, internal apps and those sharing the
same userID remain susceptible. Contrary to Android’s claims, devices continue to exhibit background toasts
opening an opportunity window for these overlay attacks and posing a threat to browser apps and webview
activities within the same app. We propose a detection approach that leverages a blend of static detection
and activity behavior analysis. Our detection approach enhances Android device security by addressing
overlay vulnerabilities and their potential impact on user privacy and data security. Overall, the findings of
this study highlight the need for improved security measures in Android browsers to protect against privilege
escalation and privacy leakag
