Cloak & Dagger exploit: What you need to know

Keys to your phone
Keys to your phone (Image credit: Android Central)

A new Android exploit has been unveiled called Cloak & Dagger and, true to its name, it describes ways in which ill-intentioned apps can take advantage of two Android permissions to steal keystrokes and trick users into divulging personal information.

But is it dangerous? Let's break it down quickly.

What is Cloak & Dagger?

Cloak & Dagger is the name for a combination of two exploitable Android permissions that, when used independently or separately through an ill-intentioned app, can have dire consequences.

It was published as a proof-of-concept by a four-person team at Georgia Institute of Technology and University of California, Santa Barbara.

It is not an active exploit, and to date there have been no known public uses of it.

How does it work?

According to the team, Cloak & Dagger takes advantage of two Android permissions — SYSTEM_ALERT_WINDOW ("draw on top") and BIND_ACCESSIBILITY_SERVICE ("a11y") — that, when working together or separately, make it possible for an app to "listen in" and either steal text input such as passwords, two-factor authentication numbers, or personal data.

Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified. Our user study indicates that these attacks are practical.

The "draw on top" permission is known as the Android overlay feature and is used by many apps like Facebook Messenger and Samsung's own Multi Window feature to enable "windows" that can be minimized and moved around on top of other apps.

How does the exploit work?

Because both the permissions are not part of Android's explicit permission granting system that began in Android 6.0 Marshmallow, when a malicious app is downloaded, the app can automatically grant the "draw on top" permission.

Once that happens, the app, once opened, can create an overlay on top of a well-known app, like Facebook, to "phish" input like passwords. It can also overlay on top of the Android keyboard, picking up all inputted text.

The accessibility permission is a little bit harder to force a user to enable, but the team says that its proof of concept used the overlay permission to trick users into activating it. Once both are enabled, a "god mode" app can potentially steal data from any app used on the phone.

Everyone is affected

Cloak & Dagger affects all versions of Android, according to the team, including Android 5.0, 6.0 and 7.0, up to the latest release of Android 7.1.2.

Android 7.0 and above makes it a bit more difficult for some of the overlay exploits to work, but some ingenuity can still get around it.

Should you worry?

Right now, there are no known apps that take advantage of these permissions for malicious purposes, though now that they are public, that may change. The team published the research to force Google's hand to improve the experience, since, unlike other Android vulnerabilities, these exploits take advantage of design flaws in the permissions themselves, not holes or bugs in the software.

What can you do to protect yourself?

This will not be a problem for you if you are careful with the apps you use.

Much is often made of Android's security flaws, but Cloak & Dagger is not something you need to worry about as long as you're careful about granting overlay permissions.

In order to mitigate the potential effects of Cloak & Dagger, it's a good idea to review which apps can create overlays on top of your Android system. On most versions of Android, here's how to do it:

  1. Open Android Settings.
  2. Scroll down and tap on Apps.
  3. Tap on the Menu or Cog icon.
  4. Find and tap on Special access. It's usually under the "Advanced" heading.
  5. Tap on Draw over other apps. These are the apps that can create overlays using the above permission.
  6. Disable any apps you don't recognize.

More: How to turn off screen overlay on the Galaxy S8

Don't panic!

Seriously, this is not a big deal if you're careful about the apps you download, especially since Google now scans 50 billion apps for malware every day using its Play Protect system.

Hopefully, Google will address this issue publicly or at least provide some clarification about what it intends to do with app overlays. Android O should eliminate this problem altogether by refactoring the overlay problem with a new API, but it's unclear how or if Google plans to address the concern on earlier versions.

Daniel Bader

Daniel Bader was a former Android Central Editor-in-Chief and Executive Editor for iMore and Windows Central. 

  • Panic!!!!
  • Appreciate the heads-up. This isn't meant to sound bad, but am I the only one thinking "Ok, now what's Jerry's take on this" :-)
  • Everything about Android is a security to flaw. Hehehe
  • "Seriously, this is not a big deal if you're careful about the apps you download, especially since Google now scans 50 billion apps for malware every day using its Play Protect system." My takeaway from this is: If you're sideloading apks you find floating around on the web, then this is the risk you are subjecting yourself to.
  • If the hackers are smart they'll target popular apps like Mario or Netflix that block root users from downloading through the Play Store. They're bound to get quite a few unsuspecting users that way since Google and several devs would rather you download a malicious app than block ads.
  • Hey what a good idea, thanks! :-P
  • This exploit sounds like a publicity stunt to me. First of all, the draw over app permission is just as it sounds, an app that can draw over another app. I'm pretty sure that the app can't steal keystrokes because the user wouldn't be able to use the keyboard if there is an app drawn over it, just like Facebook chat heads always get in the way. Of course the malicious app could fake being another app, but it would have to guess what apps a user has or get permission to access app usage, a very hard permission to get. Hopefully, most people with common sense would notice a different keyboard or a phony bank login. Wishful thinking.
  • Clearly you didn't watch the videos, they show how the exploit works, by putting an overlay (with mulitple buttons) over the keyboard, using the Accessibility service to send those keystrokes, and overlays permission requesting screens. Watch the videos, you'll see.
  • Not really an exploit. Why not just block overlays? Not sure which apps can use them in a legit manner. Maybe a password manager, but not sure what else. This is why we need full app-ops. I have some apps I don't even want accessing the web, and I should be able to block them.