A new vulnerability affects all Android versions called “dubbed Cloak and Dagger”, has been discovered by security researchers at Georgia Institute of Technology.
According to the researchers:
“Cloak and dagger” is a new type of attack vector that affects all Android devices (including the latest version, 7.1.2 Nougat). The attack allows a malicious application to fully control the UI feedback loop and take over the affected device without giving the victim a chance to notice the malicious activity.
The attack only requires two permissions:
– SYSTEM_ALERT_WINDOW (“draw on top”)
– BIND_ACCESSIBILITY_SERVICE (“a11y”)
If the malicious application is installed from the Google Play Store, the user is not informed about permissions. There is no specific permission needs to be allowed for the attacks to succeed. It’s not a common bug but rather the malicious combinations of two legitimate permissions in popular apps. “Cloak and dagger” attacks including advanced clickjacking, unconstrained keystroke recording, stealthy phishing, the silent installation of a God-mode app (with all permissions enabled), and silent phone unlocking + arbitrary actions (while keeping the screen off), according to Georgia Tech team.
Users are recommended to check which applications have access to the “draw on top” and the a11y permissions. Both permissions are considered “special” and, for this reason, certain versions of Android may show “no permission required”. To disable the Cloak and Dagger attacks, users recommended to turn off the “draw on top” permission and the a11y permissions:
Android 7.1.2:
— “draw on top” permission: Settings → Apps → “Gear symbol” (top-right) → Special access → Draw over other apps.
— a11y: Settings → Accessibility → Services: check which apps require a11y.
Android 6.0.1:
— “draw on top” permission: Settings → Apps → “Gear symbol” (top-right) → Draw over other apps.
— a11y: Settings → Accessibility → Services: check which apps require a11y.
Android 5.1.1:
— “draw on top” permission: Settings → Apps → click on individual app and look for “draw over other apps”
— a11y: Settings → Accessibility → Services: check which apps require a11y.