Cloak and Dagger: A hole in Android

How a couple of simple permissions let an application steal passwords, log user actions, and do many other nasty things.

Cloak and Dagger: A hole in Android

Everyone, this is not a drill. It applies to all versions of Android, and at the time of this post’s publication, Google has not yet patched the vulnerability. By using this vulnerability, malicious actors can steal data including passwords; install applications with a full set of permissions; and monitor what the user is interacting with or typing on a keyboard on any Android smartphone or tablet. We repeat: This is not a drill…

The attack, dubbed Cloak and Dagger, was demonstrated by employees of the Georgia Institute of Technology and the University of California, Santa Barbara. They drew Google’s attention to the problem three times, but each time, Google replied that everything was working as intended. The researchers were left with no option but to publish their discoveries: They even created a website,, for that purpose.

The essence of the Cloak and Dagger attack

In a nutshell, the attack uses an app from Google Play. Although the app asks for no specific permissions from the user, attackers obtain the rights to show the interface of the app on top of other apps, visually blocking them, and to click buttons on behalf of the user in such a way that they do not notice anything suspicious.

The attack is possible because users are not explicitly prompted to allow apps to access SYSTEM_ALERT_WINDOW functions when installing apps from Google Play, and permission to access ACCESSIBILITY_SERVICE (A11Y) is quite easy to obtain.

What kind of permissions are those? The first permission allows an app to overlay its interface on top of any other app, and the second one gives it access to a set of functions — Accessibility Service — for people with visual or hearing impairment. The latter can do a lot of different, even dangerous things, on a device by allowing an application both to monitor what happens in other apps and to interact with them on behalf of the user.

What could possibly go wrong?

An invisible layer

Essentially, the attacks that use the first permission, SYSTEM_ALERT_WINDOW, overlay other apps with their own interface without prompting the user. Moreover, the windows it can show can have any shape — including shapes with holes. They can also either register tapping or let it go through so that the app window below registers it.

For example, malicious developers can create a transparent layer that overlays the virtual keyboard of an Android device and captures all attempts to tap on the screen. Correlating the coordinates of the place where the user tapped the screen and the character positions on the keyboard, the attacker can find out what exactly the user is typing on that keyboard. Malicious programs of that kind are called keyloggers. This is one of the examples the researchers presented to demonstrate the attack.

Generally speaking, SYSTEM_ALERT_WINDOW is quite a dangerous permission; and Google itself assumes that it should be limited to a small number of apps. However, with popular applications such as Facebook Messenger (those Chat Heads that overlay everything else), Skype, and Twitter requiring this permission, the team at Google apparently decided that it would be easier if Google Play just granted the permission without explicitly prompting the user. Simplicity and security, unfortunately, don’t always go hand in hand.

The dangers of Accessibility features

The second permission, Accessibility, was designed with good intentions: to make it easier for people with visual or hearing impairments to interact with Android devices. However, this feature gives such a large number of permissions to apps that it is more often used for different purposes — by apps that need to execute actions not usually allowed on Android.

For example, to read out loud what is happening on the screen for people with a visual impairment, an app with Accessibility access may obtain information such as: what app has been opened, what the user taps on, and when a notification pops up. This means that the app knows the entire context of what is happening. And that’s not all. In addition to monitoring activities, the app can also perform various actions on behalf of the user.

All in all, Google is aware that the Accessibility permission gives applications the ability to do practically anything that one can think of on the device; therefore, it requires users to enable Accessibility for each individual application in a special menu in the settings section of a smartphone.

The problem is that by using the first permission, SYSTEM_ALERT_WINDOW, and by skillfully showing windows that overlap most of the screen (aside from the “OK” button), attackers can trick users into enabling Accessibility options, thinking that they are agreeing to something innocuous.

Then, because Accessibility can perceive context and act on behalf of users, which includes making purchases in the Google Play store, it becomes child’s play for attackers to use Google Play to download a special spy app and give it any permissions they want. Moreover, they can do so even when the screen is off or, for example, while a video clip plays, blocking everything that is happening below it.

Ultimate phishing

Accessing SYSTEM_ALERT_WINDOW and ACCESSIBILITY_SERVICE also allows fraudsters to perform phishing attacks without raising user suspicion.

For example, when a user opens the Facebook app and attempts to enter their login and password, another app with the Accessibility permissions may understand what’s happening and interfere. Then, by making use of SYSTEM_ALERT_WINDOW and the ability to overlay other apps, the application may show the user a phishing window that looks just like Facebook’s password prompt, into which the unsuspecting user will enter the login and password of his or her account.

In this case, the knowledge of context allows the developers to show the phishing screen at the right spot only when the user is going to enter the password. And from the user’s point of view, the Facebook login worked as expected, so they won’t have any reason to suspect that something has gone wrong.

Attacks such as those we describe above are not new to security researchers. They even have a name — tapjacking. Google gave Android app developers a way to fight back: an option to check if an app is overlaid, in which case users will not be allowed to perform some actions. That’s why most banking apps are protected against attacks with overlays such as Cloak and Dagger. However, the only way to be 100% sure an app is not vulnerable to such attacks is to contact the developer.

How to protect your device against Cloak and Dagger

The authors of the Cloak and Dagger research have tested the attack on three most popular Android versions: Android 5, Android 6, and Android 7, which together account for 70% of all Android devices. It turns out that those versions are all vulnerable to the attack — and it’s likely all previous versions are as well. In other words, if you have an Android device, it probably concerns you as well.

So, here is what you can do to protect yourself:

1. Try not to install unknown apps from Google Play and other stores, especially free apps. Legitimate apps will not attack you using Cloak and Dagger. Nevertheless, the question of how to tell a suspicious app from a harmless one remains open.

2. Regularly check which permissions the apps on your device have and revoke unnecessary ones. You can read this post to learn more on how to do that.

Last but not least, do not forget about installing security solutions on Android devices. There is a free version of Kaspersky Internet Security for Android, and if you do not yet have a security solution on your smartphone or tablet, installing it is good start.