Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified. Our user study indicates that these attacks are practical. These attacks affect all recent versions of Android (including the latest version, Android 7.1.2), and they are yet to be fixed.
Here is the current status (as of June 19th, 2017). Previous versions are very likely to be vulnerable as well.
Attacks | Android 5.1.1 (32.0%*) | Android 6.0.1 (31.2%) | Android 7.1.2 (7.1%) |
---|---|---|---|
Invisible Grid Attack | vulnerable | vulnerable | vulnerable |
Clickjacking → a11y | vulnerable | vulnerable | vulnerable |
Silent God-Mode | vulnerable | vulnerable | vulnerable** |
Stealthy Phishing | vulnerable | vulnerable | vulnerable |
PIN stealing | vulnerable | vulnerable | vulnerable |
Phone Unlocking (while screen off) | vulnerable | vulnerable | vulnerable |
Leaky a11y (passwords, 2FA tokens, CCs) | vulnerable | vulnerable | vulnerable*** |
Invisible Grid Attack
Context-aware/hiding Clickjacking + Silent God-mode Install Attack
Stealthy Phishing Attack
Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop
Yanick Fratantonio, Chenxiong Qian, Simon P. Chung, Wenke Lee.
@InProceedings{fratantonio17:cloakdagger, author = {Fratantonio, Yanick and Qian, Chenxiong and Chung, Simon and Lee, Wenke}, title = {{Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop}}, booktitle = {Proceedings of the IEEE Symposium on Security and Privacy (Oakland)}, month = {May}, year = {2017}, address = {San Jose, CA} }
We responsibly disclosed our findings to Google's Android security team. A timeline of the disclosure steps and responses from Google are posted here (we will keep this updated as time passes):
adb
) or to determine the permissions requested by each app through the Play Store website. For example, to check the permissions of the official LastPass app (which requires both permissions), you can go to its Play Store page, scroll down, and click "View details" under "Permissions". The "draw on top" permission will appear under the "Others" / "draw over other apps" label, while the a11y will appear under "Others" / "bind to an accessibility service".