A few days ago, we talked about the Judy Malware, a type of malicious software that has been present in many apps from the Google Play Store for over a year now. The news shook the Android community since 1) Google wasn’t able to detect the malware and subsequently allowed it to flourish for over a year, and 2) it’s almost impossible to know which apps have been infected.

But it seems that the Judy Malware was not the end of Android users’ problems. Recently, online security experts have discovered that certain design flaws in the Android system can allow “cloak and dagger” attacks to compromise the safety of those who use Android devices. This security issue was discovered by researchers from Georgia Tech and the University of California — Santa Barbara.

How They Work

Cloak and dagger attacks take advantage of existing permissions that are found in Android devices: SYSTEM_ALERT_WINDOW (also known as “draw on top”) and BIND_ACCESSIBILITY_SERVICE (also known as “a11y”). The former allows apps to overlap on top of each other when displayed on the device’s screen, while the latter is designed to assist users with visual disabilities and allows them to use voice commands to interact with the phone’s interface.

Cybercriminals can decide either of these permissions to carry out attacks, or even both of them. According to Georgia Tech, the draw on top permission helps cybercriminals do an invisible grid attack (which records the keystrokes you make when typing out passwords or private messages) as well as content hiding and context-aware clickjacking.

The accessibility service permission, on the other hand, allows cybercriminals to hijack ads, record keystrokes, and steal security PINs and two-factor authentication data. It even allows hackers to unlock devices through PIN injection and perform other actions on the device while ensuring the screen is turned off. This prevents the users from noticing that something fishy is going on in their phone or tablet.

The draw on top and accessibility service permissions can be used together to do stealthy phishing and install a God-mode app, which enables all permissions in the device and makes it easier for cybercriminals to carry out further attacks.

Virtually Unnoticeable

Aside from allowing cyberattackers to easily access users’ data and devices, cloak and dagger attacks can’t be easily noticed by Android device owners. This makes them even more dangerous since people won’t become aware that their security has been compromised and that they’re at risk for data theft and other cybercrimes.

Researchers from UC — Santa Barbara have proven this by conducting a study in which 20 subjects were asked to interact with an infected app then log into Facebook. The app was able to steal the users’ Facebook usernames and passwords, but none of the 20 subjects were able to tell that something was unusual — even when they were told by the researchers that their credentials have been stolen.

Google is already aware of this issue and has refreshed the Google Play Store so it can detect malicious apps and prevent the installation of infected apps into users’ devices. It will also incorporate these findings into its development for Android O and ensure that the upcoming OS version has stronger security protection.

Click here to read our initial report on the Judy Malware.

Applications “Cloak and Dagger” Attacks Can Target Android Devices