A New Android Exploit has the Ability to Hide Malicious Activity

A New Android Exploit has the Ability to Hide Malicious Activity

Another attack was discovered by the researchers at Georgia Institute of Technology, and this one affects every version of Android up to 7.1.2. The researchers are calling the exploit ‘Cloak & Dagger’, and it’s designed to use Android’s own screen behavior and design against its user. This is done so that the activity of the hacker that’s working on infecting the phone could be better hidden. The hacker uses interface elements generated by the various apps to record screen interactions, which allows spying, as well as other harmful activities.

This exploit was discovered by a team of researchers that consists of four people – Chenxiong Quan, Wenke Lee, Simon Pak Ho Chung, and Yanick Fratantonio. They’ve proved the existence of this exploit by demonstrating the ability of malware to draw an invisible grid over the screen of the device, which can almost perfectly mirror the keyboard found on the screen of the phone.

The researchers have stated that this opens a possibility of numerous attacks, which might include unconstrained keystroke recording. background installation of apps with all permissions allowed (God-mode apps). Also, there are possibilities of advanced clickjacking, stealthy phishing, silent phone unlocking in combination with arbitrary actions while the phone’s screen is off, and even more, as the researchers predict.

In their paper, the researchers mention this and say that the attack might lead to gaining the complete control over the device. The user might not even notice that something’s going on, especially since the attack itself is designed to hide all actions for as long as possible. The paper also states that, in case that the malicious app was downloaded from the Play Store, the user won’t even be tricked into allowing special permissions, nor will they receive warnings.

The researchers say that this exploit depends on two things – SYSTEM_ALERT_WINDOW (“draw on top”) as well as BIND_ACCESSIBILITY_SERVICE (“a11y”). With these two, the exploit can draw any interactive elements on top of the real apps. Let’s say that you wish to log into your Facebook account via your Android phone. When you get a field in which the password should be typed in, the exploit will draw its own field, so that the user would be tricked into revealing the password to the attacker. However, if the Facebook app is closed, the drawn field can still be seen, just hanging in space.

The exploit can still be disabled, and the entire process can be ended by simply turning off the ‘draw on top’ permission. This can be done by going to Settings, selecting Apps, hitting the Gear symbol, proceeding to Special Access, and then finally tapping the Draw Over Other Apps option.