2 min read

Cloak & Dagger Android Exploit Runs Invisibly, Steals Passwords

Filip TRUȚĂ

May 26, 2017

Cloak & Dagger Android Exploit Runs Invisibly, Steals Passwords

A team of researchers from the Georgia Institute of Technology has created a proof of concept exploiting a series of vulnerabilities and design shortcomings in the Android UI that the team says can be used to steal passwords, or to install a “God-mode” app that gives hackers full permissions on the device.

In a research paper forwarded to Google – Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop – the team uncovers a new class of potential attacks affecting all Android devices, including versions 7.1.2 and below. The attacks abuse SYSTEM_ALERT_WINDOW (“draw on top”) and BIND_ACCESSIBILITY_SERVICE (“accessibility”).

On a website dedicated to the discovery, the team shows on video how a malicious app bypassing Google Play Protect can end up on a user”s Android device and control the UI feedback loop, essentially taking over the device completely. The worst part? Users won”t notice any malicious behavior.

“These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified,” the team says. “Our user study indicates that these attacks are practical. These attacks affect all recent versions of Android (including the latest version, Android 7.1.2), and they are yet to be fixed.”

Attacks that abuse the “draw on top” permission include context-aware clickjacking and context hiding, luring the user into enabling accessibility for the attacker even with the latest security mechanisms in place. Also leveraging “draw on top” is the Invisible Grid Attack, which consists of unconstrained keystroke recording – essentially a keylogger that can be used to steal passwords or retrieve private information.

Attacks that abuse the “accessibility service” permission include security PIN stealing, device unlock through PIN injection, arbitrary actions with the screen switched off, stealing two-factor authentication tokens, ad hijacking and more.

Attacks that abuse both permissions include silent installation of an app that has all permissions enabled (also known as God-mode app) and stealthy phishing.

Source: cloak-and-dagger.org

To defend against these attacks, users are advised to check which applications have access to the “draw on top” and accessibility permissions. As a rule of thumb, users should only download applications from developers they trust. Google has done its bit by updating its “bouncer” to keep such malicious apps out of Play Store.

“We”ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer,” the Internet giant said in a statement. “We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward.”

Android O, to launch on Sept. 23, is the latest version of the company”s mobile operating system. In addition to these new safety measures, Android O packs an anti-ransomware mechanism.

Bitdefender”s Privacy Advisor feature, available with the Mobile Security & Antivirus app, notifies users of potentially malicious applications asking for permissions on the device.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read