Cloak and Dagger: A hole in Android

How a couple of simple permissions let an application steal passwords, log user actions, and do many other nasty things.

Warning: this is not a drill. This applies to all Android versions and at the time of publishing this post Google has not patched the vulnerability yet . By using this vulnerability, it is possible to steal data including passwords; install applications with a full set of permissions; and monitor what a user does and what he or she is typing on a keyboard on any Android smartphone or tablet. Warning: this is not a drill…

The attack dubbed “Cloak and Dagger” (probably in honor of Marvel comic heroes) was demonstrated by the employees of the Georgia Institute of Technology and the University of California. They tried to draw attention of Google to the problem thrice, but each time Google replied that everything worked as intended. The researchers were left with no option but to publish their discoveries: they even created a special website for that purpose.

The essence of the Cloak and Dagger attack

In a nutshell, the attack comes down to using an app from Google Play: while the app asks for no specific permissions from the user, attackers obtain the rights to show the interface of this app above other apps and to select buttons on behalf of the user in such a way that he or she does not notice that.

It is possible because the user is not explicitly prompted to allow apps to access SYSTEM_ALERT_WINDOW functions when installing apps from Google Play, and the permission to access ACCESSIBILITY_SERVICE (A11Y) is quite easy to obtain.

What kind of permissions are those? The first permission allows to show the interface of an app over any other app, and the second one gives access to a set of functions for people with a visual or hearing impairment. Accessing the Accessibility Service is quite a dangerous thing, as this function allows an application both to monitor what happens in other apps and to interact with them on behalf of the user.

You wonder what can go wrong?

An invisible layer

Roughly speaking, the essence of the attacks that use the first permission, SYSTEM_ALERT_WINDOW, is the following: this permission, which Google Play effectively gives out by default, allows an app to show anything above any other apps. Moreover, shown windows can have any shape including shapes with holes; also, they can either register tapping on the screen or let it go through so that the app one layer below registers it.

For example, it is possible to create a transparent layer that overlaps the virtual keyboard of an Android device and picks up all instances of tapping on the screen. By correlating the position where the user has pressed on the screen and the keyboard type the attacker attains the ability to find out what exactly the user is typing with that keyboard. Voila! A keylogger is ready. This is one of the examples that have been presented by the researches to demonstrate the attack.

Generally speaking, SYSTEM_ALERT_WINDOW is also quite a dangerous permission; and Google itself assumes that it should be used in a small number of apps. Yet, since popular applications, such as Facebook Messenger (oh yes, the Chat Heads that overlap everything else is the thing), Skype, and Twitter require this permission, the Google team apparently decided that it would be easier if Google Play would just grant this permission without explicitly prompting the user about that. Simplicity and security, unfortunately, quite often oppose each other.

The dangers of the Accessibility features

Initially, the second permission, Accessibility, has a good intention: it makes it easier for people with a visual or hearing impairment to interact with Android devices. But in practice, this bundle of features gives such a large number of permissions to apps that it is more often used for absolutely other purposes.

Let us say that in order to read out loud what is happening on the screen for people with a hearing impairment, an app with the access to Accessibility may obtain information related to what is happening on the device: what app has been opened, what the user taps on, or when a notification pops up. This means that the app knows the entire context of what is happening. And that is not all: the app can not only monitor activities but also perform various actions on behalf of the user.

All in all, Google is aware that the Accessibility permission gives applications the capability to do practically everything that one can think of on the device; therefore, it is required to enable Accessibility for each individual application in a special menu in the settings section of a smartphone.

The problem is that by using the first permission, SYSTEM_ALERT_WINDOW, and by skillfully showing windows that overlap the largest part of the screen aside from the “OK” button the attackers can convince users that they agree to something innocuous, whereas they will actually grant access to Accessibility services to the app.

Then, since Accessibility can perceive context and act on behalf of users, which includes making purchases in the Google Play store, it will not be hard for the attackers to use Google Play to download a spy app with access to anything at all and give it any permission that you can imagine. Moreover, this can be done even when the screen is off or, for instance, when a video clip is shown above everything that is happening below it; and the user will not suspect anything.

Paragon phishing

Also, accessing SYSTEM_ALERT_WINDOW and ACCESSIBILITY_SERVICE allows fraudsters to perform phishing attacks without arousing the suspicion of the user.

For example, when a user opens a Facebook app and attempts to enter his or her login and password, another app with the Accessibility permissions may track it. Then, by making use of SYSTEM_ALERT_WINDOW and the ability to display layers above others, the application may show the user a phishing window with the Facebook colors, into which the unsuspecting user will enter the login and password of his or her account.

In this case, the knowledge of context allows developers to show the phishing screen at the right spot only when the user is going to enter the password. Since the user would log in to Facebook after entering the password as expected, he or she will have no reason to suspect that something unwanted has happened.

How to protect your device against the cloak and dagger

The authors of the research have tested the attack on three most popular Android versions: Android 5, Android 6, and Android 7, which together account for 70% of all Android devices. It was determined that all the versions are vulnerable to that attack and, most likely, all the previous versions are as well. This means that if you have an Android device, it concerns you as well.

So, here is our main advice.

1. Try not to install unknown apps from Google Play and other stores. Especially free apps. If you have not installed or launched any suspicious apps, nothing can attack you. Nevertheless, the question of how to tell a suspicious app from a harmless one remains unsolved.

2. Check what can be accessed by the apps on your device regularly and revoke unnecessary permissions. You can read this article to learn how to do that.

Do not forget about installing security solutions for Android devices. There is a free version of Kaspersky for Android, and if you do not have a security solution on your smartphone or tablet, we urge you to install at least that application.