Another day, another Android[1] exploit. This time, researchers say they have found a new class of Android exploits altogether, that they call Cloak and Dagger. The reason for the name is that the exploits operate silently in the background, without the user ever knowing about their existence.
Discovered by researchers at the at the University of California Santa Barbara and the Georgia Institute of Technology, the Cloak and Dagger attacks user two sets of permissions on Android. The first is the System Alert Window, which is also known as 'draw on top', allowing apps to create overlays or draw on top of other apps and the Android interface. The second is Bind Accessibility Service, known as 'a11y', which allows uses the numerous accessibility services available on Android to help people with sight and other challenges.
Using either or both of these permissions, a malicious app could make users fall for clickjacking. This is a concept where a malicious app shows users one interface, which actually masks another interface below. For example, users could be shown an innocuous questionnaire, but below it, app permissions could be being toggled instead without users' knowledge.
Unsurprisingly, these two permissions allow all sorts of attacks to exploit users. "These attacks allow a malicious app to completely control the UI feedback loop and take over the device - without giving the user a chance to notice the malicious activity," the description of the Cloak and Dagger attacks reads on a dedicated website[2]. Notably, these attacks even affect all the latest versions of Google's mobile platform, including Android 7.1.2 Nougat, and require merely two permissions.
Alarmingly, the System Alert Window or 'draw on top' permission is not required to be explicitly granted by the user...