'Cloak and dagger' vuln rolls critical hit against latest Android versions
Malicious combination of legitimate permissions
Updated A distinct class of Android vulnerability has been unearthed by computer scientists at the Georgia Institute of Technology in Atlanta.
"Cloak and dagger" is a new kind of attack vector affecting Android devices (including the latest version, 7.1.2). "Attacks allow a malicious app to completely control the UI feedback loop and take over the device – without giving the user a chance to notice the malicious activity," according to the researchers.
The attacks would abuse one or both of the SYSTEM_ALERT_WINDOW ("draw on top") and BIND_ACCESSIBILITY_SERVICE ("a11y") functions. If the malicious app is installed from the Play Store, the user is not notified about permissions. No explicit permission needs to be granted for the attacks to succeed. It's not a traditional bug but rather the malicious combinations of two legitimate permissions in popular apps. Attacks including capturing passwords or extracting contacts might be possible, according to Georgia Tech team.
Risks arise largely from malicious code within pirated apps. The attack method has been reported to Google.
Winston Bond, EMEA technical director at application security outfit Arxan Technologies, commented: "The discovery of the latest 'cloak and dagger' threat facing Android devices demonstrates just how dangerous corrupted or malicious fake applications can be.
"Users have traditionally been told they will be safe as long as they only download apps from official sources and don't pirate software, but we have increasingly seen cases of malicious apps being downloaded from within app stores or official websites.
"Developers can no longer rely on the 'walled garden' approach of app stores to protect their users from malicious copies of their apps, and need to proactively defend their software from criminals seeking to tamper with its code and turn it into a weapon."
More details on the method can be found in a video put together by the Georgia Tech researchers (below). ®
Updated to add
"We've been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer," a Google spokesman told The Reg.
"We have updated Google Play Protect - our security services on all Android devices with Google Play - to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward."