2 min read

Cloak & Dagger Android Exploit Runs Invisibly, Steals Passwords

Filip TRUȚĂ

May 26, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Cloak & Dagger Android Exploit Runs Invisibly, Steals Passwords

A team of researchers from the Georgia Institute of Technology has created a proof of concept exploiting a series of vulnerabilities and design shortcomings in the Android UI that the team says can be used to steal passwords, or to install a “God-mode” app that gives hackers full permissions on the device.

In a research paper forwarded to Google – Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop – the team uncovers a new class of potential attacks affecting all Android devices, including versions 7.1.2 and below. The attacks abuse SYSTEM_ALERT_WINDOW (“draw on top”) and BIND_ACCESSIBILITY_SERVICE (“accessibility”).

On a website dedicated to the discovery, the team shows on video how a malicious app bypassing Google Play Protect can end up on a user”s Android device and control the UI feedback loop, essentially taking over the device completely. The worst part? Users won”t notice any malicious behavior.

“These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified,” the team says. “Our user study indicates that these attacks are practical. These attacks affect all recent versions of Android (including the latest version, Android 7.1.2), and they are yet to be fixed.”

Attacks that abuse the “draw on top” permission include context-aware clickjacking and context hiding, luring the user into enabling accessibility for the attacker even with the latest security mechanisms in place. Also leveraging “draw on top” is the Invisible Grid Attack, which consists of unconstrained keystroke recording – essentially a keylogger that can be used to steal passwords or retrieve private information.

Attacks that abuse the “accessibility service” permission include security PIN stealing, device unlock through PIN injection, arbitrary actions with the screen switched off, stealing two-factor authentication tokens, ad hijacking and more.

Attacks that abuse both permissions include silent installation of an app that has all permissions enabled (also known as God-mode app) and stealthy phishing.

Source: cloak-and-dagger.org

To defend against these attacks, users are advised to check which applications have access to the “draw on top” and accessibility permissions. As a rule of thumb, users should only download applications from developers they trust. Google has done its bit by updating its “bouncer” to keep such malicious apps out of Play Store.

“We”ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer,” the Internet giant said in a statement. “We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward.”

Android O, to launch on Sept. 23, is the latest version of the company”s mobile operating system. In addition to these new safety measures, Android O packs an anti-ransomware mechanism.

Bitdefender”s Privacy Advisor feature, available with the Mobile Security & Antivirus app, notifies users of potentially malicious applications asking for permissions on the device.

tags


Author



Right now

Top posts

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Israeli Authorities Seized Severs of Breached Company for Not Cooperating Israeli Authorities Seized Severs of Breached Company for Not Cooperating
Silviu STAHIE

July 04, 2022

1 min read
FTC warns LGBTQ+ community of extortion scams targeting them on dating apps FTC warns LGBTQ+ community of extortion scams targeting them on dating apps
Graham CLULEY

July 01, 2022

2 min read
OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you? OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you?
Radu CRAHMALIUC

June 30, 2022

3 min read