Security researchers have discovered a new attack, named as ‘Cloak and Dagger‘, that will works against all versions of Android, up to version 7.1.2.
Cloak and Dagger attack allows hackers to silently take full control of your device and steal private data, including keystrokes, chats, device PIN, online account passwords, OTP passcode, and contacts.
- Even the latest versions of Android are vulnerable to attacks
- Researchers contacted Google about the vulnerabilities 9 months back
- The attacks only require two permissions from the device
The two permissions for attack :
– SYSTEM_ALERT_WINDOW (“draw on top”)
– BIND_ACCESSIBILITY_SERVICE (“a11y”)
The core about cloak and dagger attack :
Discovered by researchers at the at the University of California Santa Barbara and the Georgia Institute of Technology, the Cloak and Dagger attacks user two sets of permissions on Android. The first is the System Alert Window, which is also known as ‘draw on top‘, allowing apps to create overlays or draw on top of other apps and the Android interface. The second is Bind Accessibility Service, known as ‘a11y‘, which allows uses the numerous accessibility services available on Android to help people with sight and other challenges.
Using either or both of these permissions, a malicious app could make users fall for clickjacking. This is a concept where a malicious app shows users one interface, which actually masks another interface below. For example, users could be shown an innocuous questionnaire, but below it, app permissions could be being toggled instead without users’ knowledge.
Risks arise largely from malicious code within pirated apps. The attack method has been reported to Google.
“Developers can no longer rely on the ‘walled garden’ approach of app stores to protect their users from malicious copies of their apps, and need to proactively defend their software from criminals seeking to tamper with its code and turn it into a weapon.”
Unsurprisingly, these two permissions allow all sorts of attacks to exploit users. “These attacks allow a malicious app to completely control the UI feedback loop and take over the device – without giving the user a chance to notice the malicious activity,” the description of the Cloak and Dagger attacks reads on a dedicated website. Notably, these attacks even affect all the latest versions of Google’s mobile platform, including Android 7.1.2 Nougat, and require merely two permissions.
Alarmingly, the System Alert Window or ‘draw on top’ permission is not required to be explicitly granted by the user when an app is installed via Google Play. To make things worse, as we explained above, if an malicious app with the Draw on Top permission is installed, it could easily scam a user into granting it the Bind Accessibility Service permission. If you are concerned already, wait till you hear the worst part, these vulnerabilities have not been fixed till now.
While these researchers first talked to Google around 9 months back and some vulnerabilities were fixed over months with updates, some of them are still present in the latest version of the platform as the tools involved in the exploit are also required by some applications, as pointed out in a report by Android Police.
What hacker’s can do to your mobile?
Since the attack does not require any malicious code to perform the trojanized tasks, it becomes easier for hackers to develop and submit a malicious app to Google Play Store without detection.
Unfortunately, it’s a known fact that the security mechanisms used by Google are not enough to keep all malware out of its app market.
Just last month, researchers uncovered several Android apps masqueraded as an innocent “Funny Videos” app on Play Store with over 5,000 downloads but distributed the ‘BankBot banking Trojan’ that steal victims’ banking passwords.
Here’s what the researchers explained how they got on the Google Play Store to perform Cloak & Dagger attacks:
“In particular, we submitted an app requiring these two permissions and containing a non-obfuscated functionality to download and execute arbitrary code (attempting to simulate a clearly malicious behaviour): this app got approved after just a few hours (and it is still available on the Google Play Store).” researchers say.
Once installed, the researchers say the attacker can perform various malicious activities including:
- Advanced clickjacking attack
- Unconstrained keystroke recording
- Stealthy phishing attack
- Silent installation of a God-mode app (with all permissions enabled)
- Silent phone unlocking and arbitrary actions (while keeping the screen off)
In short, the attackers can secretly take over your Android device and spy on your every activity you do on your phone.
However, the researchers say that they were able to get malicious app approved from the store and that it is still available on Google Play.
Thus, until Android O comes along, users don’t have much they can do to avoid being trapped, beyond regular security practices. Install apps only from trusted sources, don’t install random apps, and, keep a close watch on what permissions an app is asking for.
How to Survive?
The easiest way to disable the Cloak and Dagger attacks in Android 7.1.2 is to turn off the “draw on top” permission by heading on to:
Settings → Apps → Gear symbol → Special access → Draw over other apps.
The universal and easiest way to avoid being hacked is always to download apps from Google Play Store, but only from trusted and verified developers.
You are also advised to check app permissions before installing apps.