Saturday, May 27, 2017

Millions of Android devices potentially exposed to the Cloak and Dagger attack

Security researchers at Georgia Institute of Technology have discovered a new attack, dubbed ‘Cloak and Dagger’, that allows taking full control of Android devices.
The  ‘Cloak and Dagger’ attack works against all versions of Android, up to version 7.1.2, it doesn’t exploit any vulnerability in Android OS, instead, it leverages a pair of legitimate app permissions that is being widely used in popular applications to access certain features on an Android device.
Cloak and Dagger attacks abuse the following basic Android permissions:
  • SYSTEM_ALERT_WINDOW (“draw on top”) – is a legitimate overlay feature that allows apps to overlap on a device’s screen and top of other apps.
  • BIND_ACCESSIBILITY_SERVICE (“a11y”) – is a permission designed to help disabled users, allowing them to enter inputs using voice commands, or listen content using screen reader feature.
“Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified. Our user study indicates that these attacks are practical. These attacks affect all recent versions of Android (including the latest version, Android 7.1.2), and they are yet to be fixed.” states the researchers.


In a real attack scenario, hackers can develop and submit a malicious app requiring these two permissions and submit it to Google Play Store, the app will bypass security checks because it will not include the code for the exploitation of any vulnerability.
“In particular, we submitted an app requiring these two permissions and containing a non-obfuscated functionality to download and execute arbitrary code (attempting to simulate a clearly malicious behavior): this app got approved after just a few hours (and it is still available on the Google Play Store).” wrote the researchers.
Once the user will install the app, the attacker can perform various malicious activities including:
  • Advanced clickjacking attack
  • Unconstrained keystroke recording
  • Stealthy phishing attack
  • Silent installation of a God-mode app (with all permissions enabled)
  • Silent phone unlocking and arbitrary actions (while keeping the screen off)
Below the video PoC for the Cloak and Dagger attacks published by the experts:
The experts reported the ‘Cloak and Dagger’ attack to Google but noted that the isssue is a design problem of the Android OS, for this reason the fix will require a significant effort.
“Changing a feature is not like fixing a bug,” said Yanick Fratantonio, the paper’s first author. “System designers will now have to think more about how seemingly unrelated features could interact. Features do not operate separately on the device.”
Android gives “SYSTEM_ALERT_WINDOW” (“draw on top”) permission to all applications downloaded from the official Google Play Store Android version 6, aka Marshmallow.
The feature is abused by malware that hijacks a device’s screen, it is quite common for example in mobile banking trojan.
Clearly, Google has to introduce changes in its OS, the changes are expected for Q3 2017. In this period millions of Android users will be vulnerable to the attack.
To mitigate the issue and disable the Cloak and Dagger attacks in Android 7.1.2 it is possible to disable the “draw on top” permission:
Settings → Apps → Gear symbol → Special access → Draw over other apps.
Every time you download an application check the reputation of the development team and check app permissions before installing it.