Researchers from the University of California Santa Barbara and the Georgia Institute of Technology have discovered a new class of Android vulnerabilities that have been named the "Cloak & Dagger" exploit.
Google was informed about that exploit nine months ago, but some of the vulnerabilities are still present, even in the latest Android 7.1.2 Nougat. This is because some legitimate apps use the tools that are manipulated by the exploit.
What Does Cloak & Dagger Do?
According to the researchers, Cloak & Dagger attacks allow malicious apps to take over the user interface feedback loop and gain control of infected devices, without the user even knowing that such attacks have taken place.
The exploit uses two permissions, namely SYSTEM_ALERT_WINDOW ("draw on top") and BIND_ACCESSIBILITY_SERVICE ("a11y"). The draw on top permission is the Android overlay feature that allows apps such as Facebook Messenger and Samsung's Multi Window to create windows that users can minimize and move around on top of other apps. The accessibility service permission, meanwhile, intercepts user input such as keystrokes to help users with impaired eyesight or hearing.
Working together or separately, these permissions can be exploited to allow apps to steal text input which may include passwords, confidential information, and two-factor authentication codes. When users input information into apps, they would not know that they are also inputting the information into another layer. This kind of attack is known as clickjacking.
What makes the Cloak & Dagger attacks even more dangerous is that these two permissions being exploited are not part of the Android permission granting system that started in Android 6.0 Marshmallow. Malicious apps are automatically granted the draw on top permissions, allowing them to create overlays on top of apps such as Facebook and the Android keyboard.
The accessibility permission, meanwhile, is a bit harder to exploit as attackers will need to use the overlay exploit to activate it. However, once that is done, a so-called god mode app may be used to steal data from any app that is launched on the Android device.
How To Protect Yourself From Cloak & Dagger
Fortunately, Cloak & Dagger is not an active exploit, and there have been no reported cases of hackers taking advantage of the vulnerability. There is also the chance that a complete solution is coming with Android O. Nevertheless, Android users will need to stay vigilant to protect themselves.
The simplest way to protect Android devices from the Cloak & Dagger attack is to disable the draw on top permission. This can be done by entering Settings, tapping on the Gear symbol under Apps, and then selecting Special Access. The Draw Over Other Apps option can then be deactivated.
Users can also go into the Accessibility menu under Settings, and check the apps that require a11y under the Services option.
In addition, users are highly recommended to follow the usual tips in protecting their Android devices from security breaches, first and foremost of which is to avoid installing random apps from untrusted sources.
While Google and security researchers should hunt down and fix vulnerabilities such as the Cloak & Dagger exploit, users also share in the responsibility of preventing the spread of malware.
