[kelnos]

Unless I'm misreading this, it sounds like an app can only suppress the clipboard paste toast if either:

1) It's a system app, and thus has permission to "legally" suppress the notification. This can be a problem for pre-installed third-party apps. But if your phone doesn't have those, you're fine. (More or less; I don't love the idea that system apps can suppress the notification, period.)

2) It's an app that you've explicitly granted permission to draw over top of other apps. Which is a permission that's hard to accidentally grant, and is a permission that you shouldn't grant to any app, unless you super super super super trust it.

Seems like kinda a nothingburger?

[timenova]

Drawing over other apps is a problem too. On my OnePlus, I just checked, there are 23 apps with the permission to draw over other apps, but only 3 of those are the ones I've explicitly allowed.

20/23 apps are Google, OnePlus, or Android System apps. I never knew so many of them had this permission!

[KRAKRISMOTT]

The 20 apps are all pre-installed from factory. If you don't trust those, then you need to change your device. There is no trivial way of removing them short of rooting or flashing a new ROM.

[londons_explore]

Even factory apps ought to be given the minimum permissions needed to do their job - otherwise someone will find an exploit for one and have an easier time doing evils.

[c420]

Use App Manager from f-droid and enable adb mode or wireless debugging and then freeze the unwanted apps. The manual tells you exactly how to use adb over USB or enable wireless debugging.

[izacus]

> Seems like kinda a nothingburger?

Yep, it's a nothingburger (which also explains why it's not filed through a security disclosure and getting a CVE).

Just declaring draw over apps permission will also kick you into a much more rigorous Play Store review if you try to publish the app.

[jwells89]

The first scenario is a possibility for a lot of budget phones, as well as carrier-distributed phones. Both include bundled third party "system" apps, especially the budget phones where the bundleware is more likely to be from questionable devs.

It's something most of us knew already, but it's just another reason why it's a bad idea to buy dirt cheap crapware-subsidized phones, and why it's better to buy phones through electronics retailers or from the manufacturer and to steer clear of purchasing through carriers.

[lolinder]

If the main attack vector is "software preinstalled by shady manufacturers", I'd still file that under "nothingburger". There are many, many ways for shady manufacturers to do shady things with their OEM version of Android, and this is far from a game changer for them.