Android 'Cloak and Dagger' Attacks Uses Overlays and Accessibility to Deceive Users

Another day, another Android exploit. This time, researchers say they have found a new class of Android exploits altogether, that they call Cloak and Dagger. The reason for the name is that the exploits operate silently in the background, without the user ever knowing about their existence.

Discovered by researchers at the at the University of California Santa Barbara and the Georgia Institute of Technology, the Cloak and Dagger attacks user two sets of permissions on Android. The first is the System Alert Window, which is also known as 'draw on top', allowing apps to create overlays or draw on top of other apps and the Android interface. The second is Bind Accessibility Service, known as 'a11y', which allows uses the numerous accessibility services available on Android to help people with sight and other challenges.

Using either or both of these permissions, a malicious app could make users fall for clickjacking. This is a concept where a malicious app shows users one interface, which actually masks another interface below. For example, users could be shown an innocuous questionnaire, but below it, app permissions could be being toggled instead without users' knowledge.

Unsurprisingly, these two permissions allow all sorts of attacks to exploit users. "These attacks allow a malicious app to completely control the UI feedback loop and take over the device - without giving the user a chance to notice the malicious activity," the description of the Cloak and Dagger attacks reads on a dedicated website. Notably, these attacks even affect all the latest versions of Google's mobile platform, including Android 7.1.2 Nougat, and require merely two permissions.

Alarmingly, the System Alert Window or 'draw on top' permission is not required to be explicitly granted by the user when an app is installed via Google Play. To make things worse, as we explained above, if an malicious app with the Draw on Top permission is installed, it could easily scam a user into granting it the Bind Accessibility Service permission. If you are concerned already, wait till you hear the worst part, these vulnerabilities have not been fixed till now.

While these researchers first talked to Google around 9 months back and some vulnerabilities were fixed over months with updates, some of them are still present in the latest version of the platform as the tools involved in the exploit are also required by some applications, as pointed out in a report by Android Police.

Overlays can always prove to be a security threat and this is why an overlay notification was added with Android Marshmallow as well. However, it was removed with Android Nougat, Android Police nots.

The invisible Grid attack, which makes use of these vulnerabilities, can enable keystroke recording that can give away users password and other sensitive data to the hijackers as well.

In a statement to Engadget, Google has responded to the Cloak and Dagger attacks, and said, "We've been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect -- our security services on all Android devices with Google Play -- to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues, moving forward."

However, the researchers say that they were able to get malicious app approved from the store and that it is still available on Google Play.

Thus, until Android O comes along, users don't have much they can do to avoid being trapped, beyond regular security practices. Install apps only from trusted sources, don't install random apps, and, keep a close watch on what permissions an app is asking for.