Notebookcheck

"Cloak and Dagger" vulnerability can leave your Android phone open to attack

A recently confirmed Android exploit can seize control of your device. (Image source: goh4x.blogspot.com)
A recently confirmed Android exploit can seize control of your device. (Image source: goh4x.blogspot.com)
The exploit, which has long been theorized, was confirmed by computer security researchers. By using invisible overlays and some clever social engineering, hackers can quickly gain full control to an Android device.

If WannaCry and the recent media player attacks haven’t yet made you concerned about cyber security, a long-conjectured exploit in Android has now been confirmed by researchers at the Georgia Institute of Technology and the University of California.

Dubbed “Cloak and Dagger” or “Tapjacking,” the exploit uses two permissions to gain full access to a targeted device. Here’s the pinch: the permissions are often granted without the user’s knowledge. The permissions needed for the exploit to work are the SYSTEM_ALERT_WINDOW and BIND_ACCESSIBILITY_SERVICE, or the “draw on top” and “a11y,” permissions. SYSTEM_ALERT_WINDOW is used by apps to draw overlays on top of the screen, á la Facebook Messenger’s chat heads. This permission is automatically granted to apps that request it if installed via the Google Play Store. Using this permission, the malicious app can draw invisible overlays on the screen without the user knowing they’re there. The overlays can then relay data, such as tapped areas on the screen, and be used to parse user input into the app. Using this permission alone, a nefarious party can use an invisible overlay drawn over the keyboard area to ascertain user passwords and sensitive messages. Worse yet, these invisible overlays can be used to trick the users into granting the a11y permission.

BIND_ACCESSIBILITY_SERVICE (a11y) can be a dangerous permission to grant, as it can allow an app deep control over the entire system. It’s often used for legitimate purposes, such as in battery saver apps or other monitoring/control apps. However, researchers showed that by granting the a11y permission, an app can then trigger every other permission possible, enabling a “God Mode” that allows the app to do anything on the infected phone. This can include activating the camera, connection to specific networks, or even sending user data, all without the knowledge of the user. In the video below, the researchers show off one of these “God Mode” apps and how powerful (and malicious) they can be.

So what about a fix? Surprisingly, Google hasn’t stated that they’ll be patching the problem anytime soon. With the exploit afflicting Android versions 5.1.1 through the latest 7.1.2, this leaves a huge array of devices vulnerable. Android O might mitigate the issue as it will notify users when an app is using an overlay. However, this “solution” is highly dependant on the end user being attentive and understanding the risk this can pose. A representative for Google also said that Play Store Protect will “detect and prevent the installation of [the malicious] apps.”

As with all types of malware, the best defense is information. Users should remain attentive and be highly critical of apps that request permissions, especially those that request a11y Accessibility permissions. Stay vigilant, Android users!

Working For Notebookcheck

Are you a loyal reader of notebookcheck? Are you a techie who knows how to write? Then join our Team!

Especially wanted: 
German-English-Translator - Details here
Review Editor - 
Details here
News Editor - Details here

 

 

 

 

 

 

 

 

 

 

Source(s)

static version load dynamic
Loading Comments
Comment this article
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2017 05 > "Cloak and Dagger" vulnerability can leave your Android phone open to attack
Sam Medley, 2017-05-27 (Update: 2017-05-27)
Sam Medley
Sam Medley - Review Editor - @samuel_medley
I've been a "tech-head" my entire life. After graduating college with a degree in Mathematics, I worked in finance and banking a few years before taking a job as a Systems Analyst for my local school district. I started working with Notebookcheck in October of 2016 and have enjoyed writing news articles and notebook reviews. My areas of interest include the business side of technology, retro gaming, Linux, and innovative gadgets. When I'm not hunched over an electronic device or writing code for a new database, I'm either outside with my family, playing a decade-old video game, or sitting behind a drum set.