Researchers have discovered a new attack, dubbed ‘Cloak and Dagger’, that works against all versions of Android, up to version 7.1.2.
Cloak and Dagger attack allows hackers to silently take full control of your device and steal private data, including keystrokes, chats, device PIN, online account passwords, OTP passcode, and contacts.
What’s interesting about Cloak and Dagger attack?
The attack doesn’t exploit any vulnerability in Android ecosystem; instead, it abuses a pair of legitimate app permissions that is being widely used in popular applications to access certain features on an Android device.
Researchers at Georgia Institute of Technology have discovered this attack, who successfully performed it on 20 people and none of them were able to detect any malicious activity.
Cloak and Dagger attacks utilise two basic Android permissions:
- SYSTEM_ALERT_WINDOW (“draw on top”)
- BIND_ACCESSIBILITY_SERVICE (“a11y”)
The first permission, known as “draw on top,” is a legitimate overlay feature that allows apps to overlap on a device’s screen and top of other apps.
The second permission, known as “a11y,” is designed to help disabled, blind and visually impaired users, allowing them to enter inputs using voice commands, or listen content using screen reader feature.
Scary Things Hackers Can Do to Your Android (Demo)
Since the attack does not require any malicious code to perform the trojanized tasks, it becomes easier for hackers to develop and submit a malicious app to Google Play Store without detection.
Unfortunately, it’s a known fact that the security mechanisms used by Google are not enough to keep all malware out of its app market.
Just last month, researchers uncovered several Android apps masqueraded as an innocent “Funny Videos” app on Play Store with over 5,000 downloads but distributed the ‘BankBot banking Trojan‘ that steal victims’ banking passwords.
Here’s what the researchers explained how they got on the Google Play Store to perform Cloak & Dagger attacks:
“In particular, we submitted an app requiring these two permissions and containing a non-obfuscated functionality to download and execute arbitrary code (attempting to simulate a clearly malicious behavior): this app got approved after just a few hours (and it is still available on the Google Play Store).” researchers say.
Once installed, the researchers say the attacker can perform various malicious activities including:
- Advanced clickjacking attack
- Unconstrained keystroke recording
- Stealthy phishing attack
- Silent installation of a God-mode app (with all permissions enabled)
- Silent phone unlocking and arbitrary actions (while keeping the screen off)
In short, the attackers can secretly take over your Android device and spy on your every activity you do on your phone.
Researchers have also provided the video demonstrations of a series of Cloak and Dagger attacks.
Google Can’t Fix It, At Least Not So Fast
University researchers have already disclosed this new attack vector to Google but noted that since the issue resides in the way Android OS has been designed, involving two of its standard features that behave as intended, the problem could be difficult to resolve.
“Changing a feature is not like fixing a bug,” said Yanick Fratantonio, the paper’s first author. “System designers will now have to think more about how seemingly unrelated features could interact. Features do not operate separately on the device.”
As we reported earlier, Google gives “SYSTEM_ALERT_WINDOW” (“draw on top”) permission to all applications directly installed from the official Google Play Store since Android Marshmallow (version 6), launched in October 2015.
This feature that lets malicious apps hijack a device’s screen is one of the most widely exploited methods used by cyber criminals and hackers to trick unwitting Android users into falling victims for malware and phishing scams.
However, Google has planned to change its policy in ‘Android O,’ which is scheduled for release in the 3rd quarter this year.
So, users need to wait for a long, long time, as millions of users are still waiting for Android Nougat (N) from their device manufacturers (OEMs).
In other words, the majority of smartphone users will continue to be victimised by ransomware, adware and banking Trojans at least for next one year.
The easiest way to disable the Cloak and Dagger attacks in Android 7.1.2 is to turn off the “draw on top” permission by heading on to:
Settings → Apps → Gear symbol → Special access → Draw over other apps.
The universal and easiest way to avoid being hacked is always to download apps from Google Play Store, but only from trusted and verified developers.
You are also advised to check app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.