Researchers spotlight ‘cloak and dagger’ attack against Android devices

Researchers spotlight ‘cloak and dagger’ attack against Android devices
© Getty Images

Researchers have discovered a series of vulnerabilities that can be used against the newest versions of Google’s Android operating system to control devices without their users knowing.

The class of attacks, dubbed “Cloak and Dagger,” was first uncovered by a team of researchers at the Georgia Institute of Technology in Atlanta last August. Those researchers, who informed Google’s Android security team about the discovered vulnerabilities, released a full report on the attack vector online this week. 

According to their research, the flaws allow malicious apps downloaded from the Google Play Store to take control of the operating system’s user interface feedback loop and take control of the device “without giving the user a chance to notice the malicious activity.”

ADVERTISEMENT
When contacted, a spokesperson for Google said that the company has been in communication with the researchers and had built in new security protections before the release of the research.

“We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps,” the spokesperson said.

“Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward.”

The researchers, however, say vulnerabilities have not been fixed, noting the attacks can affect all recent Android versions, including the latest Android 7.1.2.  

The attacks exploit two app permissions, namely the SYSTEM_ALERT_WINDOW and the BIND_ACCESSIBILITY_SERVICE. The user does not need to explicitly grant these permissions if the app is downloaded from the Play Store, but any other program needs to be granted permissions. 

“The possible attacks include advanced clickjacking, unconstrained keystroke recording, stealthy phishing, the silent installation of a God-mode app (with all permissions enabled), and silent phone unlocking + arbitrary actions (while keeping the screen off),” the researchers wrote.