The new attack vector, which affects Android up to 7.1.2, makes your phone potentially vulnerable to clickjacking, keystroke recording, and more.
Around two years ago, Google as well as major Android OEMs announced that they would be issuing monthly security patches for their Android devices, following the discovery of what researchers called the worst Android bug ever found. Although Android’s security as an operating system has improved drastically since then, it doesn’t mean it’s perfectly protected from malware.
In other words, hackers can implant malicious interface elements and disguise them as legitimate within the device’s home screen or any app.
A team of researchers from Georgia Institute of Technology – Yanick Fratantonio, Chenxiong Qian, Simon Pak Ho Chung, and Wenke Lee – has discovered a new exploit called Cloak & Dagger, which puts any Android device up to version 7.1.2 at potential risk. Essentially, the new vulnerability lets hackers use Android’s SYSTEM_ALERT_WINDOW and BIND_ACCESSIBILITY_SERVICE in order to draw interactive elements over the user’s screen. In other words, hackers can implant malicious interface elements and disguise them as legitimate within the device’s home screen or any app for that matter.
As the researchers describe, “These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity… The possible attacks include advanced clickjacking, unconstrained keystroke recording, stealthy phishing, the silent installation of a God-mode app (with all permissions enabled), and silent phone unlocking + arbitrary actions (while keeping the screen off).”
You can see an example of an invisible grid attack below, where hackers can track what you type on your virtual keyboard with a malicious grid that has been laid underneath:
Here is another example, where hackers can install malware with all permissions granted by concealing hyperlinks beneath legitimate content:
The researchers warn that only two permissions are required in order for hackers to take advantage of this vulnerability and that these attacks affect all recent versions of Android. Google has released an official statement in response, explaining that it has taken steps to prevent these attacks:
We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward.
However, to be extra safe, always avoid downloading unverified apps, and always keep track of what permissions you give to each app. You can also disable the “draw on top” permission by going into Settings > Apps > Settings symbol > Special access > Draw over other apps.