A series of “vulnerabilities and design shortcomings” in the Android user interface sets the stage for a new class of attacks called “Cloak and Dagger.”
Discovered by Chenxiong Qian, Simon P. and Chung, Wenke Lee of Georgia Tech and Yanick Fratantonio of UC Santa Barbara, the issues stem from two Android app permissions. The first, SYSTEM_ALERT_WINDOW (“draw on top”), allows an app to draw overlays on top of every other app. The second, BIND_ACCESSIBILITY_SERVICE (“a11y”), is a powerful privilege designed to assist users with disabilities in that it can notify an app of any event that affects the device and access the view tree.
Regarding these app rights, there’s good news and bad news. Both tidbits boil down to Google’s design choices.
First, the good news. Google understands the potential security implications of BIND_ACCESSIBILITY_SERVICE, which explains why the researchers found the privilege requested by only 24 of the top 4,455 apps on Google Play.
But the bad news is that Google grants SYSTEM_ALERT_WINDOW automatically. An attacker can exploit this fact in a malicious app to lure the user into granting a11y, access which they can then leverage to conduct a series of attacks including context-aware clickjacking, security PIN stealing, and the silent installation of a God-mode app.
Here’s a video of one such attack in action.
That’s not even the worst part.
An examination of these so-called “Cloak and Dagger” attacks not only demonstrates their practicality but also reveals most users aren’t the wiser that any malicious activity transpired. As the researchers explain in their paper:
“To test the practicality of these attacks, we performed a user study that consisted of asking a user to first interact with our proof-of-concept app, and then login on Facebook (with our test credentials). For this experiment, we simulated the scenario where a user is lured to install this app from the Play Store: thus, SYSTEM_ALERT_WINDOW is already granted, but BIND_ACCESSIBILITY_SERVICE is not. The results of our study are worrisome: even if the malicious app actually performed clickjacking to lure the user to enable the BIND_ACCESSIBILITY_SERVICE permission, silently installed a God-mode app with all permissions enabled, and stole the user’s Facebook (test) credentials, none of the 20 human subjects even suspected they have been attacked. Even more worrisome is that none of the subjects were able to identify anything unusual even when we told them the app they interacted with was malicious and their devices had been compromised.”
Now that we know the full extent of these attacks, what is Google doing to prevent them?
Well, the tech giant has known about the issues since August 2016. With some of the vulnerabilities, Google has said it simply “won’t fix” them. For some of the other design flaws associated with the Android UI, it could take researchers a while to address them.
According to a statement provided to Softpedia, the company is working on it:
“We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward.”
That’s great…for Android users who receive OS updates on a regular basis. As we know with other Android security issues, most users don’t get those fixes from their manufacturers until weeks, months, or years after their release. For those unlucky many, they won’t see the “new security protections” built into Android O for quite some time.
While they wait for their share of the pie, all Android users can do is go into their device settings and check to see which apps have “draw on top” and “a11y” access. Not all apps that use these privileges will announce it to you. (Thank Google for that.) For those apps that do show up, think long and hard about keeping them installed on your device.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.