A new Android exploit known as Cloak and Dagger has been discovered, which uses various app-generated interface elements in the OS to hide malicious activity from users. Researchers from Georgia Institute of Technology discovered the exploit. They say it affects versions of Android up to and including 7.1.2.
The team, made up of Yanick Fratantonio, Chenxiong Qian, Simon Pak Ho Chung and Wenke Lee, demonstrated that the malware creates a grid over the Android screen that mirrors a regular onscreen keyboard.
“These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified,” wrote researchers on a site dedicated to the exploit.
“The possible attacks include advanced clickjacking, unconstrained keystroke recording, stealthy phishing, the silent installation of a God-mode app (with all permissions enabled), and silent phone unlocking + arbitrary actions (while keeping the screen off).”
These attacks abuse one or both of the ‘SYSTEM_ALERT_WINDOW’ (“draw on top”) and ‘BIND_ACCESSIBILITY_SERVICE’ (“a11y”) commands.
The researchers say these issues have yet to be fixed. In the meantime, the team recommends users check which applications have access to the “draw on top” and the “a11y” permissions.
Specific instructions on how to do this for each version of Android can be found here.
Image credit: Flickr – Rob Bulmahn