Android ‘design shortcomings’ allow for Cloak and Dagger series of attacks

Google knows about the issues… but does that help ordinary users?

David bisson
David Bisson

Android 'design shortcomings' allow for Cloak and Dagger series of attacks

A series of “vulnerabilities and design shortcomings” in the Android user interface sets the stage for a new class of attacks called “Cloak and Dagger.”

Discovered by Chenxiong Qian, Simon P. and Chung, Wenke Lee of Georgia Tech and Yanick Fratantonio of UC Santa Barbara, the issues stem from two Android app permissions. The first, SYSTEM_ALERT_WINDOW (“draw on top”), allows an app to draw overlays on top of every other app. The second, BIND_ACCESSIBILITY_SERVICE (“a11y”), is a powerful privilege designed to assist users with disabilities in that it can notify an app of any event that affects the device and access the view tree.

Regarding these app rights, there’s good news and bad news. Both tidbits boil down to Google’s design choices.

Sign up to our free newsletter.
Security news, advice, and tips.

First, the good news. Google understands the potential security implications of BIND_ACCESSIBILITY_SERVICE, which explains why the researchers found the privilege requested by only 24 of the top 4,455 apps on Google Play.

But the bad news is that Google grants SYSTEM_ALERT_WINDOW automatically. An attacker can exploit this fact in a malicious app to lure the user into granting a11y, access which they can then leverage to conduct a series of attacks including context-aware clickjacking, security PIN stealing, and the silent installation of a God-mode app.

Here’s a video of one such attack in action.

Cloak & Dagger: Clickjacking + Silent God-mode App Install

That’s not even the worst part.

An examination of these so-called “Cloak and Dagger” attacks not only demonstrates their practicality but also reveals most users aren’t the wiser that any malicious activity transpired. As the researchers explain in their paper:

“To test the practicality of these attacks, we performed a user study that consisted of asking a user to first interact with our proof-of-concept app, and then login on Facebook (with our test credentials). For this experiment, we simulated the scenario where a user is lured to install this app from the Play Store: thus, SYSTEM_ALERT_WINDOW is already granted, but BIND_ACCESSIBILITY_SERVICE is not. The results of our study are worrisome: even if the malicious app actually performed clickjacking to lure the user to enable the BIND_ACCESSIBILITY_SERVICE permission, silently installed a God-mode app with all permissions enabled, and stole the user’s Facebook (test) credentials, none of the 20 human subjects even suspected they have been attacked. Even more worrisome is that none of the subjects were able to identify anything unusual even when we told them the app they interacted with was malicious and their devices had been compromised.”

Now that we know the full extent of these attacks, what is Google doing to prevent them?

Well, the tech giant has known about the issues since August 2016. With some of the vulnerabilities, Google has said it simply “won’t fix” them. For some of the other design flaws associated with the Android UI, it could take researchers a while to address them.

According to a statement provided to Softpedia, the company is working on it:

“We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward.”

That’s great…for Android users who receive OS updates on a regular basis. As we know with other Android security issues, most users don’t get those fixes from their manufacturers until weeks, months, or years after their release. For those unlucky many, they won’t see the “new security protections” built into Android O for quite some time.

While they wait for their share of the pie, all Android users can do is go into their device settings and check to see which apps have “draw on top” and “a11y” access. Not all apps that use these privileges will announce it to you. (Thank Google for that.) For those apps that do show up, think long and hard about keeping them installed on your device.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 comments on “Android ‘design shortcomings’ allow for Cloak and Dagger series of attacks”

  1. JackTheCat

    These articles annoy me and please me at the same time. They please me that the vulnerability has been found. They annoy me that they have been fixed for the latest operating system, which means a new phone. I don't have the funds to be getting a new £600/£700 every year. It really is making me think to just go back to using just feature phones as my personal protest against the makers of the phones and operating systems.

    I know it wouldn't be of concern by the makers but at least I have done something to help my personal digital security

  2. rar

    3 points:

    1. Google is known for reporting 0-day vuls on other software, like MS. Now the bullet is facing them and they say "won't fix"? is that responsible, at all?

    2. This strongly adds to my dissatisfaction about NIST's recommendation not to reset passwords timely. The users that get their accounts hijacked using this or similar vul, will never know they are compromised and if not forced, will never reset their pwd

    3. I have a Samsung, ZTE & LG android devices and in all the 7 years, these ancient devices haven't received a single software update by the vendors. So it's best to add "manufacturers until weeks, months, or years after their release" *"or never"*

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.