{"id":16960,"date":"2017-06-02T12:38:50","date_gmt":"2017-06-02T16:38:50","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=16960"},"modified":"2019-11-15T06:47:27","modified_gmt":"2019-11-15T11:47:27","slug":"cloak-and-dagger-attack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/cloak-and-dagger-attack\/16960\/","title":{"rendered":"Cloak and Dagger: A hole in Android"},"content":{"rendered":"

Everyone, this is not a drill. It applies to all versions of Android, and at the time of this post\u2019s publication, Google has not yet patched the vulnerability. By using this vulnerability, malicious actors can steal data including passwords; install applications with a full set of permissions<\/a>; and monitor what the user is interacting with or typing on a keyboard on any Android smartphone or tablet. We repeat: This is not a drill\u2026<\/p>\n

The attack, dubbed Cloak and Dagger, was demonstrated by employees of the Georgia Institute of Technology and the University of California, Santa Barbara. They drew Google\u2019s attention to the problem three times, but each time, Google replied that everything was working as intended. The researchers were left with no option but to publish their discoveries: They even created a website, cloak-and-dagger.org, for that purpose.<\/p>\n

The essence of the Cloak and Dagger attack<\/h2>\n

In a nutshell, the attack uses an app from Google Play. Although the app asks for no specific permissions from the user, attackers obtain the rights to show the interface of the app on top of other apps, visually blocking them, and to click buttons on behalf of the user in such a way that they do not notice anything suspicious.<\/p>\n

The attack is possible because users are not explicitly prompted to allow apps to access SYSTEM_ALERT_WINDOW functions when installing apps from Google Play, and permission to access ACCESSIBILITY_SERVICE (A11Y) is quite easy to obtain.<\/p>\n

What kind of permissions are those? The first permission allows an app to overlay its interface on top of any other app, and the second one gives it access to a set of functions \u2014 Accessibility Service \u2014 for people with visual or hearing impairment. The latter can do a lot of different, even dangerous things, on a device by allowing an application both to monitor what happens in other apps and to interact with them on behalf of the user.<\/p>\n

What could possibly go wrong?<\/p>\n

An invisible layer<\/h3>\n

Essentially, the attacks that use the first permission, SYSTEM_ALERT_WINDOW, overlay other apps with their own interface without prompting the user. Moreover, the windows it can show can have any shape \u2014 including shapes with holes. They can also either register tapping or let it go through so that the app window below registers it.<\/p>\n

For example, malicious developers can create a transparent layer that overlays the virtual keyboard of an Android device and captures all attempts to tap on the screen. Correlating the coordinates of the place where the user tapped the screen and the character positions on the keyboard, the attacker can find out what exactly the user is typing on that keyboard. Malicious programs of that kind are called keyloggers<\/a>. This is one of the examples the researchers presented to demonstrate the attack.<\/p>\n