A team of researchers from the Georgia Institute of Technology has created a proof of concept exploiting a series of vulnerabilities and design shortcomings in the Android UI that the team says can be used to steal passwords, or to install a “God-mode” app that gives hackers full permissions on the device.
In a research paper forwarded to Google – Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop – the team uncovers a new class of potential attacks affecting all Android devices, including versions 7.1.2 and below. The attacks abuse SYSTEM_ALERT_WINDOW (“draw on top”) and BIND_ACCESSIBILITY_SERVICE (“accessibility”).
On a website dedicated to the discovery, the team shows on video how a malicious app bypassing Google Play Protect can end up on a user’s Android device and control the UI feedback loop, essentially taking over the device completely. The worst part? Users won’t notice any malicious behavior.
“These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified,” the team says. “Our user study indicates that these attacks are practical. These attacks affect all recent versions of Android (including the latest version, Android 7.1.2), and they are yet to be fixed.”
Attacks that abuse the “draw on top” permission include context-aware clickjacking and context hiding, luring the user into enabling accessibility for the attacker even with the latest security mechanisms in place. Also leveraging “draw on top” is the Invisible Grid Attack, which consists of unconstrained keystroke recording – essentially a keylogger that can be used to steal passwords or retrieve private information.
Attacks that abuse the “accessibility service” permission include security PIN stealing, device unlock through PIN injection, arbitrary actions with the screen switched off, stealing two-factor authentication tokens, ad hijacking and more.
Attacks that abuse both permissions include silent installation of an app that has all permissions enabled (also known as God-mode app) and stealthy phishing.
To defend against these attacks, users are advised to check which applications have access to the “draw on top” and accessibility permissions. As a rule of thumb, users should only download applications from developers they trust. Google has done its bit by updating its “bouncer” to keep such malicious apps out of Play Store.
“We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer,” the Internet giant said in a statement. “We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward.”
Android O, to launch on Sept. 23, is the latest version of the company’s mobile operating system. In addition to these new safety measures, Android O packs an anti-ransomware mechanism.
Bitdefender’s Privacy Advisor feature, available with the Mobile Security & Antivirus app, notifies users of potentially malicious applications asking for permissions on the device.