A new Android exploit has been unveiled called Cloak & Dagger and, true to its name, it describes ways in which ill-intentioned apps can take advantage of two Android permissions to steal keystrokes and trick users into divulging personal information.
But is it dangerous? Let's break it down quickly.
What is Cloak & Dagger?
Cloak & Dagger is the name for a combination of two exploitable Android permissions that, when used independently or separately through an ill-intentioned app, can have dire consequences.
It was published as a proof-of-concept by a four-person team at Georgia Institute of Technology and University of California, Santa Barbara.
It is not an active exploit, and to date there have been no known public uses of it.
How does it work?
According to the team, Cloak & Dagger takes advantage of two Android permissions — SYSTEM_ALERT_WINDOW ("draw on top") and BIND_ACCESSIBILITY_SERVICE ("a11y") — that, when working together or separately, make it possible for an app to "listen in" and either steal text input such as passwords, two-factor authentication numbers, or personal data.
Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified. Our user study indicates that these attacks are practical.
The "draw on top" permission is known as the Android overlay feature and is used by many apps like Facebook Messenger and Samsung's own Multi Window feature to enable "windows" that can be minimized and moved around on top of other apps.
How does the exploit work?
Because both the permissions are not part of Android's explicit permission granting system that began in Android 6.0 Marshmallow, when a malicious app is downloaded, the app can automatically grant the "draw on top" permission.
Once that happens, the app, once opened, can create an overlay on top of a well-known app, like Facebook, to "phish" input like passwords. It can also overlay on top of the Android keyboard, picking up all inputted text.
The accessibility permission is a little bit harder to force a user to enable, but the team says that its proof of concept used the overlay permission to trick users into activating it. Once both are enabled, a "god mode" app can potentially steal data from any app used on the phone.
Everyone is affected
Cloak & Dagger affects all versions of Android, according to the team, including Android 5.0, 6.0 and 7.0, up to the latest release of Android 7.1.2.
Android 7.0 and above makes it a bit more difficult for some of the overlay exploits to work, but some ingenuity can still get around it.
Should you worry?
Right now, there are no known apps that take advantage of these permissions for malicious purposes, though now that they are public, that may change. The team published the research to force Google's hand to improve the experience, since, unlike other Android vulnerabilities, these exploits take advantage of design flaws in the permissions themselves, not holes or bugs in the software.
What can you do to protect yourself?
This will not be a problem for you if you are careful with the apps you use.
Much is often made of Android's security flaws, but Cloak & Dagger is not something you need to worry about as long as you're careful about granting overlay permissions.
In order to mitigate the potential effects of Cloak & Dagger, it's a good idea to review which apps can create overlays on top of your Android system. On most versions of Android, here's how to do it:
- Open Android Settings.
- Scroll down and tap on Apps.
- Tap on the Menu or Cog icon.
- Find and tap on Special access. It's usually under the "Advanced" heading.
- Tap on Draw over other apps. These are the apps that can create overlays using the above permission.
- Disable any apps you don't recognize.
Seriously, this is not a big deal if you're careful about the apps you download, especially since Google now scans 50 billion apps for malware every day using its Play Protect system.
Hopefully, Google will address this issue publicly or at least provide some clarification about what it intends to do with app overlays. Android O should eliminate this problem altogether by refactoring the overlay problem with a new API, but it's unclear how or if Google plans to address the concern on earlier versions.