Researchers from Georgia Institute of Technology and UC Santa Barbara have uncovered a new Android exploit affecting all versions of the operating system. The exploit is dubbed Cloak and Dagger and is seen as a new class of potential attacks targeting Google’s mobile OS.
The Cloak and Dagger Exploits in Detail
Attacks based on Cloak and Dagger allow for malicious apps to steal sensitive information by creating a specific app that only needs to set two permissions. These permissions are BIND ACCESSIBILITY SERVICE (“a11y”) and SYSTEM ALERT WINDOW (“draw on top”). These attacks abuse one or both of the SYSTEM_ALERT_WINDOW (“draw on top”) and BIND_ACCESSIBILITY_SERVICE (“a11y”), the researchers explain.
As already mentioned, these attacks only need two permissions to take place, and in case the app is installed via the Play Store, the potential victim doesn’t need to grant them. The researchers’ user study indicates that the attacks are practical meaning that they affect all recent versions of Android, Android 7.1.2 inclusive.
Conceptually, “cloak and dagger” is the first class of attacks to successfully and completely compromise the UI feedback loop. In particular, we show how we can modify what the user sees, detect the input/reaction to the modified display, and update the display to meet user expectations. Similarly, we can fake user input, and still manage to display to the user what they expect to see, instead of showing them the system responding to the injected input.
Even though it is not that simple to trick users into enabling accessibility permissions, attackers can still succeed. Once the permissions are on, attackers are able to install malicious software, harvest data from installed applications, and eventually take full control over the particular Android device. The worst part is that the user will not be aware of what is going on in the background of his device.
“In particular, we demonstrate how such an app can launch a variety of stealthy, powerful attacks, ranging from stealing user’s login credentials and security PIN, to the silent installation of a God-mode app with all permissions enabled, leaving the victim completely unsuspecting,” the researchers note in their report.
Google Fixed the Exploits and Issued a Statement
On Google’s side, the company has already taken actions against the exploit. There is also an official statement explaining their countermeasures to patch the affected versions, including Android 7.1.2, Google’s latest release.
“We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward,” Google stated.