Researchers have demonstrated how a malicious app with two specific permission can stealthily compromise users’ Android devices.
“The possible attacks include advanced clickjacking, unconstrained keystroke recording, stealthy phishing, the silent installation of a God-mode app (with all permissions enabled), and silent phone unlocking + arbitrary actions (while keeping the screen off),” the researchers, from Georgia Tech and the University of California, Santa Barbara, explained.
The attack vector – dubbed “Cloak and dagger” – doesn’t take advantage of bugs, but of several design shortcomings of the Android platform.
It affects all version of the popular mobile OS, including the latest one (v7.1.2, aka Android Nougat).
“These attacks abuse one or both of the SYSTEM_ALERT_WINDOW (‘draw on top’) and BIND_ACCESSIBILITY_SERVICE (‘a11y’) [permissions],” the researchers noted.
“If the malicious app is installed from the Play Store, the user is not notified about the permissions and she does not need to explicitly grant them for the attacks to succeed. In fact, in this scenario, ‘draw on top’ is automatically granted, and this permission is enough to lure the user into unknowingly enable a11y (through clickjacking).”
The researchers had no trouble placing such an app on Google Play. “We submitted an app requiring these two permissions and containing a non-obfuscated functionality to download and execute arbitrary code (attempting to simulate a clearly-malicious behavior): this app got approved after just a few hours (and it is still available on the Google Play Store),” they shared.
Google has been informed of this research, and of the security issues that can arise due to these design decisions. According to the responsible disclosure timeline presented by the researchers, the company won’t be fixing the “a11y” issue as they consider the feature to be working as intended, and has not followed up with a status update on the other issues.
In the wake of the public disclosure of the research, Google has noted that they have updated Google Play Protect to detect and prevent the installation of such apps, and that they have already built new security protections into Android O which are meant to protect against these issues.
Still, as the attacks are still practical, users would do well to be extra careful what apps they download, and when they download one, to check whether they take advantage of the two permissions.
To see which apps have the “draw on top” permission, go to the device’s settings, and check each individual app. For the “a11y” permission, go to Settings > Accessibility > Services, and check which apps require it.