Technology

‘Cloak & Dagger’ attack hits all the typical Android security weaknesses

The Android security team repeatedly deemed the attacks less severe than the researchers did.

May 24, 2017

Hackers can use a malicious app to secretly take over and spy on an Android device with a new series of attacks dubbed Cloak & Dagger, according to research published recently at the IEEE Symposium on Security and Privacy.

“The possible attacks include advanced clickjacking, unconstrained keystroke recording, stealthy phishing, the silent installation of a God-mode app (with all permissions enabled), and silent phone unlocking and arbitrary actions (while keeping the screen off),” the researchers explained.

A study of 20 users showed the attacks are practical and virtually undetectable. They were disclosed to Google beginning in August 2016 and remain partially actionable today because, according to the account given by the researchers, the Android security team repeatedly deemed the attacks less severe than the researchers did.

Android’s security team did not respond to CyberScoop’s request for a comment.

“A quick experiment shows that it is trivial to get such [a malicious] app accepted on the Google Play Store,” the researchers wrote.

Malicious apps are a real threat on the Google Play store. Last month, researchers found spyware that had been downloaded over 1 million times in the three years it had been sitting on the Play store. A few days earlier, bank malware masqueraded in similar fashion as an innocent “Funny Videos” app that was downloaded over 5,000 times.

The Cloak & Dagger researchers explained how they got on the Google Play store: “In particular, we submitted an app requiring these two permissions and containing a non-obfuscated functionality to download and execute arbitrary code (attempting to simulate a clearly-malicious behavior): this app got approved after just a few hours (and it is still available on the Google Play Store).”

The series of attacks are numerous but all connected, because they allow attackers to surreptitiously gain two key permissions without any notification to the user.

The researchers recommend users check permissions on apps they use, a task that can be complicated or even impossible on some versions of Android.

Here is one attack demonstrated:

‘Cloak & Dagger’ attack hits all the typical Android security weaknesses

More Like This

House hurtles toward showdown over expiring surveillance tools

Civil society groups press platforms to step up election integrity work

Spyware and zero-day exploits increasingly go hand-in-hand, researchers find

Top Stories

Six-year old bug will likely live forever in Lenovo, Intel products

House passes extension of expiring surveillance authorities

Congressional privacy bill looks to rein in data brokers

More Scoops

Google warns companies about keeping hackers out of cloud infrastructure

FTC says popular fertility app gave advertisers pregnancy data without permission

Google reveals two global spyware campaigns targeting Apple and Android devices

Facebook warns 1 million users about apps trying to compromise accounts

State-sponsored Iranian hackers uploaded fake VPN app to Google’s Play store, posed as university officials

A spyware app designed to monitor Kurdish targets attracted more than 1,400 downloads

Hackers exploit WhatsApp modification tool to snoop on texts, force paid subscriptions

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Mandiant’s Sandra Joyce on AI for cyber defense and what’s troubling CISOs

Government

Technology

Threats

Geopolitics