Hackers can use a malicious app to secretly take over and spy on an Android device with a new series of attacks dubbed Cloak & Dagger, according to research published recently at the IEEE Symposium on Security and Privacy.
“The possible attacks include advanced clickjacking, unconstrained keystroke recording, stealthy phishing, the silent installation of a God-mode app (with all permissions enabled), and silent phone unlocking and arbitrary actions (while keeping the screen off),” the researchers explained.
A study of 20 users showed the attacks are practical and virtually undetectable. They were disclosed to Google beginning in August 2016 and remain partially actionable today because, according to the account given by the researchers, the Android security team repeatedly deemed the attacks less severe than the researchers did.
Android’s security team did not respond to CyberScoop’s request for a comment.
“A quick experiment shows that it is trivial to get such [a malicious] app accepted on the Google Play Store,” the researchers wrote.
Malicious apps are a real threat on the Google Play store. Last month, researchers found spyware that had been downloaded over 1 million times in the three years it had been sitting on the Play store. A few days earlier, bank malware masqueraded in similar fashion as an innocent “Funny Videos” app that was downloaded over 5,000 times.
The Cloak & Dagger researchers explained how they got on the Google Play store: “In particular, we submitted an app requiring these two permissions and containing a non-obfuscated functionality to download and execute arbitrary code (attempting to simulate a clearly-malicious behavior): this app got approved after just a few hours (and it is still available on the Google Play Store).”
The series of attacks are numerous but all connected, because they allow attackers to surreptitiously gain two key permissions without any notification to the user.
Here is one attack demonstrated: