mobile_threat_blog_icon

Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips
Share

Cloak and Dagger is an attack that can use an app from the Google Play store or side-loaded apps. The attack does not require the user to grant any special permissions because it exploits two permissions so commonly used that the user is not prompted to grant permission:

  • SYSTEM_ALERT_WINDOW “draw on top” permission: The right to show the interface of the app on top of other apps, visually blocking them – i.e. Alerts
  • ACCESSIBILITY_SERVICE (A11Y): An accessibility permission that checks to see if an app require the capability to click buttons on behalf of the user

Researchers at the Georgia Institute of Technology and the University of California, Santa Barbara discovered vulnerabilities in these Android permissions that are commonly used by apps, including Facebook.

The Cloak and Dagger malware is not in the wild and there are no known instances of its use outside of that demonstrated by the universities that discovered the Android vulnerability. However, Kaspersky Labs has called it the ‘ultimate phishing malware’ because it can replicate app functionality perfectly.

The vulnerability:

  • Enables password and PIN stealing, keystroke inference and silent app installation.
  • Affects at least 70% of Android devices and likely more, as of June 12, 2017 Google had not remediated the vulnerability.

Flagging use of the permissions as malicious is not an option since they are used legitimately by a large number of apps including Facebook.

Recommendations

All enterprises should avoid side-loaded apps.

Appthority customers can use the Appthority solution to determine which apps may be vulnerable by checking apps in their environment for the following permissions:

Android 7.1.2:
— “draw on top” permission: Settings → Apps → “Gear symbol” (top-right) → Special access → Draw over other apps.
— a11y: Settings → Accessibility → Services: check which apps require a11y.
Android 6.0.1:
— “draw on top” permission: Settings → Apps → “Gear symbol” (top-right) → Draw over other apps.
— a11y: Settings → Accessibility → Services: check which apps require a11y.
Android 5.1.1:
— “draw on top” permission: Settings → Apps → click on individual app and look for “draw over other apps”
— a11y: Settings → Accessibility → Services: check which apps require a11y.

If an unknown app requests for either of the two permissions or both permissions, users can remove the app.

 

Back