Researchers from UC Santa Barbara and Georgia Tech have discovered a fresh class of Android attacks, called Cloak and Dagger.
These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity.
Cloak and Dagger exploits take advantage of the Android UI, and they require just two permissions to get rolling: SYSTEM ALERT WINDOW (“draw on top”) and BIND ACCESSIBILITY SERVICE (“A11y”).
Android automatically grants the draw-on-top permission for any app downloaded from the Play Store, and once a hacker is in, it’s possible to trick someone into granting the A11y permission. A Cloak and Dagger-enabled app hides a layer of malicious activity under seemingly harmless visuals, luring users to click on unseen buttons and keystroke loggers.
These attacks affect all recent versions of Android (including the latest version, Android 7.1.2), and they are yet to be fixed.