An unpatched vulnerability dubbed Cloak and Dagger applies to all versions of Android and allows malicious actors to steal data including passwords; install applications with a full set of permissions; and monitor what the user is interacting with or typing on a keyboard on any Android smartphone or tablet.
Demonstrated by employees of the Georgia Institute of Technology and the University of California, Santa Barbara, the attack uses an app from Google Play. Although the app asks for no specific permissions from the user, attackers obtain the rights to show the interface of the app on top of other apps, visually blocking them, and to click buttons on behalf of the user in such a way that they do not notice anything suspicious.
According to the researchers, the attack is possible because users are not explicitly prompted to allow apps to access SYSTEM_ALERT_WINDOW functions when installing apps from Google Play, and permission to access ACCESSIBILITY_SERVICE (A11Y) is quite easy to obtain.
The first permission allows an app to overlay its interface on top of any other app, and the second one gives it access to a set of functions - Accessibility Service - for people with visual or hearing impairment. The latter can do a lot of different, even dangerous things, on a device by allowing an application both to monitor what happens in other apps and to interact with them on behalf of the user.
Essentially, the attacks that use the first permission, SYSTEM_ALERT_WINDOW, overlay other apps with their own interface without prompting the user. Moreover, the windows it can show can have any shape - including shapes with holes. They can also either register tapping or let it go through so that the app window below registers it.
The second permission, Accessibility, was designed with good intentions: to make it easier for people with visual or hearing impairments to interact with Android devices. However, this feature gives such a large number of permissions to apps that it is more often used for different purposes - by apps that need to execute actions not usually allowed on Android.
For example, to read out loud what is happening on the screen for people with a visual impairment, an app with Accessibility access may obtain information such as: what app has been opened, what the user taps on, and when a notification pops up. This means that the app knows the entire context of what is happening. And that's not all. In addition to monitoring activities, the app can also perform various actions on behalf of the user.
All in all, Google is aware that the Accessibility permission gives applications the ability to do practically anything that one can think of on the device; therefore, it requires users to enable Accessibility for each individual application in a special menu in the settings section of a smartphone.
The problem is that by using the first permission, SYSTEM_ALERT_WINDOW, and by skillfully showing windows that overlap most of the screen (aside from the "OK" button), attackers can trick users into enabling Accessibility options, thinking that they are agreeing to something innocuous.
Then, because Accessibility can perceive context and act on behalf of users, which includes making purchases in the Google Play store, it becomes child's play for attackers to use Google Play to download a special spy app and give it any permissions they want. Moreover, they can do so even when the screen is off or, for example, while a video clip plays, blocking everything that is happening below it.
Accessing SYSTEM_ALERT_WINDOW and ACCESSIBILITY_SERVICE also allows fraudsters to perform phishing attacks without raising user suspicion.
For example, when a user opens the Facebook app and attempts to enter their login and password, another app with the Accessibility permissions may understand what's happening and interfere. Then, by making use of SYSTEM_ALERT_WINDOW and the ability to overlay other apps, the application may show the user a phishing window that looks just like Facebook's password prompt, into which the unsuspecting user will enter the login and password of his or her account.
In this case, the knowledge of context allows the developers to show the phishing screen at the right spot only when the user is going to enter the password. And from the user's point of view, the Facebook login worked as expected, so they won't have any reason to suspect that something has gone wrong.
The authors of the Cloak and Dagger research have tested the attack on three most popular Android versions: Android 5, Android 6, and Android 7, which together account for 70% of all Android devices. It turns out that those versions are all vulnerable to the attack - and it's likely all previous versions are as well. In other words, if you have an Android device, it probably concerns you as well.
In order to protect yourself, you should try not to install unknown apps from Google Play and other stores, especially free apps. Legitimate apps will not attack you using Cloak and Dagger. Nevertheless, the question of how to tell a suspicious app from a harmless one remains open.
In addition, you should regularly check which permissions the apps on your device have and revoke unnecessary ones.