Cloak And Dagger Exploit uses Overlays and Accessibility Services to Hijack the System

By | 26th May 2017

What we at XDA once envisioned as a proof of concept security vulnerability has now been confirmed by computer scientists at the Georgia Institute of Technology in Atlanta. The team details what they call “cloak and dagger” exploits which can take over the UI of most versions of Android (including 7.1.2). Given it’s nature, it is difficult to fix and also difficult to detect.

Cloak and Dagger is an exploit that takes advantage of two permissions in order to take control the UI without giving the user a chance to notice the malicious activity. The attack uses two permissions: SYSTEM_ALERT_WINDOW (“draw on top“) and BIND_ACCESSIBILITY_SERVICE (“a11y“) that are very commonly used in Android apps.

We have outlined this in the past, but what makes this vulnerability so acute is the fact that applications requesting SYSTEM_ALERT_WINDOW are automatically granted this permission when installed via the Google Play Store. As for enabling an Accessibility Service, a malicious application is able to quite easily socially engineer a user into granting it. The malicious application could even be set up to use an Accessibility Service for a semi-legitimate purpose, such as monitoring when certain applications are open to change certain settings.

Once these two permissions have been granted, the number of attacks that could occur are numerous. Stealing of PINs, two-factor authentication tokens, passwords, or even denial-of-service attacks are all possible. This is thanks to the combination of overlays to trick the user into thinking they are interacting with a legitimate app and the Accessibility Service being used to intercept text and touch input (or relay its own input).

We theorized such a vulnerability a few months back, wherein we would create a proof-of-concept application that uses SYSTEM_ALERT_WINDOW and BIND_ACCESSIBILITY_SERVICE in order to draw an overlay over the password entry screen in the XDA Labs app and intercept key input to swipe passwords. This application we envisioned would be an auto-rotation managing application which would use an overlay for the purposes of drawing an invisible box on screen to control rotation (rather than request WRITE_SETTINGS which would raise flags) and an Accessibility service to allow the user to control auto-rotate profiles on a per-app basis. In theory, this would be one example of an application using “cloak-and-dagger.” However, none among our team were willing to risk their developer accounts by challenging Google’s automated app scanning systems to see if our proof-of-concept exploit would be allowed on the Play Store.

In any case, these researchers did the work and submitted test applications to prove that the use of these two permissions can indeed be a major security issue:

As you can see, the attacks are invisible to users and allow full control over the device. Currently all versions of Android starting from Android 5.1.1 to Android 7.1.2 are vulnerable to this exploit, given the fact that it takes advantage of two permissions otherwise used for completely legitimate purposes.

Don’t expect a true fix for this issue to come to your device anytime soon, though it should be noted that the changes made to SYSTEM_ALERT_WINDOW in Android O will partially address this flaw by disallowing malicious apps from completely drawing over the entire screen. Furthermore, Android O now alerts with via notification if an application is actively drawing an overlay. With these two changes, it’s less likely that a malicious application can get away with the exploit if the user is attentive.

How do you protect yourself on versions before Android O? As always, install only apps that you trust from sources that you trust. Make sure the permissions they request line up with what you expect.

As for the hundreds of millions of regular users out there, according to a Google spokesperson Play Store Protect will also provide necessary fixes to prevent the cloak and dagger attacks. How exactly it will accomplish this is unclear, but hopefully it involves some way of detecting when these two permissions are being used maliciously. I doubt that it would be able to detect all such cases, though, so in any case it’s best for you to monitor what permissions are being granted to each application you install.