According to Georgia Institute of Technology researchers the newly identified risk to Android devices comes not from a traditional attack, as per malicious software, but instead via two legitimate permissions designed to power commonly-used features in popular apps. The combination, however, can lead to a new class of attacks, which the researchers call “Cloak and Dagger.”
The first permission feature is called “BIND_ACCESSIBILITY_SERVICE,” and it supports the use of devices by disabled persons. The feature allows for inputs, including user name and password, to be made by voice command. The second permission is called “SYSTEM_ALERT_WINDOW.” This is an overlay feature which produces a window on top of the device’s usual screen to display bubbles to enable a chat program or maps for a ride-sharing app. According to the researchers, when these features are combined in a malicious way, “SYSTEM_ALERT_WINDOW” acts as the cloak and “BIND_ACCESSIBILITY_SERVICE” functions as the dagger. In this way, the two functions can allow an attacker to construct a window that fools users into believing they are interacting with legitimate features of the app. A malicious program, operating as the overlay, is then able to capture a user’s credentials. The accessibility permission can then be used to enter the credentials into the real app hidden beneath, allowing it to operate as expected. This way the user is unaware that anything has gone awry.
The co-discoverer of the vulnerability, Professor Wenke Lee explains more about ‘cloak and dagger’ in an interview to his university’s website: “We identified two different Android features that when combined, allow an attacker to read, change or capture the data entered into popular mobile apps.”
Outlining just what these are, he adds that the two features “are very useful in mapping, chat or password manager apps, so preventing their misuse will require users to trade convenience for security. This is as dangerous an attack as we could possibly describe.”
To prove the weakness the researchers created an attack on 20 Android devices. Each was shown to be vulnerable. Moreover, Android versions up to and including 7.1.2 are vulnerable to this attack. The researchers hope Google will rectify the weakness with the next software upgrade.
The new risks to Android devices have been presented in May 2017 to the 38th IEEE Symposium on Security and Privacy, which took place in San Jose, California.
