USUALLY VULNERABILITIES IN software are accidents or mistakes—flaws that shouldn’t be there. But they can also stem from unintended consequences of features working the way they’re supposed to. Those problems prove difficult to resolve, especially if the potentially impacted feature has an important, legitimate use. That’s what happened with Cloak & Dagger, an attack that manipulates attributes of the operating system’s visual design and user interface to hide malicious activity.
Researchers at the Georgia Institute of Technology and University of California, Santa Barbara first detailed the vulnerabilities in May, and have worked with Google since to address them. But while Google has addressed many of the bugs in its upcoming Android O release, the methods persist on current versions of Android, potentially exposing virtually all Android users to an insidious attack.
“User interface bugs are out there and they can be exploited and it’s quite easy to implement them,” says Yanick Fratantonio, a mobile security researcher who works on the project and helped present the latest Cloak & Dagger updates at the Black Hat security conference Thursday. “The attacks are a very big deal, but they’re difficult to fix. You can’t just change [the vulnerable features] because you have backward compatibility problems.”
In addition to the protections baked into Android O, a Google spokesperson said in a statement that, “We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect—our security services on all Android devices with Google Play—to detect and prevent the installation of these apps.”
The main Cloak & Dagger attacks affect all recent versions of Android, up to the current 7.1.2. They take advantage of two Android permissions: one, known as SYSTEM_ALERT_WINDOW,which allows apps to display overlay screens for things like notifications, and one called BIND_ACCESSIBILITY_SERVICE, a permission for accessibility services that allows tracking and querying of visual elements displayed on the phone. These permissions can be abused individually, or in tandem.
When you download apps from Google Play that request the System Alert overlay permission, Android grants it automatically, no user approval required. That means malicious apps that ask for that permission can hide ill-intentioned activity behind innocuous-looking screens. For example, the app can request a permission that the user must approve, but cover that request notification with another screen that asks for something innocent, leaving a hole in the cover screen for the real “Accept” button. This type of bait and switch is a version of an attack known as “click-jacking.”
In the case of Cloak & Dagger, the permission the researchers tricked test subjects into accepting is called the Bind Accessibility Service. When users grant this permission, apps gain the ability to track objects across the screen, interact with them, and even manipulate them. Normally, these capabilities are reserved for services that address disabilities like physical and visual impairments. In the hands of a malicious app, they can prove devastating.