Recently, research conducted by UC Santa Barbara and Georgia Institute of Technology in Atlanta discovered an Android takeover by a new class of cyber attack known as “Cloak and Dagger.”
This malicious software allows hackers to take full control over an Android device without being detected.
Once the malware hacks into the device, it takes total control over the UI feedback loop.
After that, it takes over the phone completely and even performs tasks with the screen turned off.
This cyber attack is especially rampant in the app marketplace.
The malware can be found on the Google Play Store or other official websites masquerading as a funny video app, and it’s distributed as a Trojan.
What are the possible attacks this malware can perform on an Android device?
- Unconstrained keystroke recording.
- Advanced clickjacking attacks.
- Stealthy phishing attacks.
- Silent installation of god-mode that has all permissions enabled.
- Silent phone unlocking to perform arbitrary actions while the screen is off.
- Extraction of passwords and contacts.
This malware attacks all Android versions, even the latest 7.1.2, which is a stable version of the system.
Which permissions do the Cloak and Dagger cyber attack abuse?
Cloak and Dagger is not the standard or traditional bug that a hacker uses to commit a cyber attack.
It is a potent combination of two legal app permissions that are used across most features on Android.
These permissions include:
- SYSTEM_ALERT_WINDOW (“draw on top”) — This permission allows the overlapping of applications on an Android device’s screen.The draw on top application is used by most popular apps like the Multi Window feature on Samsung Android devices and on Facebook Messenger.
- BIND_ACCESSIBILITY_SERVICE (“a11y”) — This permission allows Android users with disabilities to use voice commands to enter inputs into their devices.
These two permissions, working together or separately, make it possible for malicious apps to conduct a cyber attack by tapping into a device to listen in and steal personal data.
By abusing these permissions, hackers can easily develop malicious applications and then submit them to Google Play Store and other official websites to commit a cyber attack on unsuspecting users.
Once an Android user downloads this application onto their smartphone, it does not need any permission to make changes to the device.
The malicious apps ultimately control the UI feedback loop to take over the device.
The user will also not be able to detect any malicious activity going on in their phone.
The researchers proved this in a study performed on a 20-person research.
This new cyber attack has shattered the walled garden approach of app stores that protect users against malicious apps.
How does this cyber attack exploit work?
Once the malicious app is downloaded, it automatically grants the System_Alert_Window (“draw on top”) permission.
Then, the application opens up and creates an overlay on top of a legitimate app, such as Facebook, to eavesdrop on all its activities, a strategy also known as phishing.
The malicious application is able to phish the app’s data, like password information.
Additionally, it can overlay on the Android’s keyboard to pick up all inputted text.
The application also uses its overlay permission to trick users into enabling the accessibility permission.
Once this permission is enabled, a god-mode app is able to steal data from any apps on the phone.
The attacker is able to modify what the user sees, as well as inject fake input while maintaining the standard user experience.
How is this cyber attack issue being resolved?
Since the research was conducted, a Google spokesperson told Mashable that the company has been in close contact with the researchers.
The spokesperson confirmed that they had made updates on Google Play to protect, detect and prevent the installation of these malicious applications.
They also confirmed that Google had already built new security protections for the Android O that are meant to strengthen the protection against such cyber attack incidences in the future.
How can users protect themselves from falling victim to such cyber attacks?
The research team asked users to check for applications using the “draw on top” permission and disable them if they want to avert themselves from falling victim to this cyber attack.
Additionally, they advised users to download apps from trusted and verified developers in the Google Play Store.
Before installing any new applications, users are supposed to check for app permissions.
They should ensure that app permissions are monitored and restricted.
Users should avoid applications that ask for more permission than necessary.