A new vulnerability for Android, dubbed Cloak and Dagger, has been discovered by the Georgia Institute of Technology. It makes it easier for bad actors to pass off trojanized apps as legitimate.
According to GIT, it results not from a traditional bug, but from the malicious combination of two legitimate permissions. These underpin commonly used features in popular apps. The first permission feature supports the use of devices by disabled persons, allowing inputs such as user name and password to be made by voice command, and allowing outputs such as a screen reader to help the disabled view content. The second is an overlay or “draw-on-top” feature that produces a window on top of the device's usual screen to display bubbles for a chat program or maps for a ride-sharing app.
The vulnerability would allow attackers to use a trojanized app to silently take control of a mobile device. From there, the bad actors can overlay the graphical interface with false information, while malicious activities go on underneath, like capturing passwords or extracting the user's contacts.
"In Cloak and Dagger, we identified two different Android features that when combined, allow an attacker to read, change or capture the data entered into popular mobile apps," said Wenke Lee, a professor in Georgia Tech's School of Computer Science and co-director of the Institute for Information Security & Privacy, in a release on the research. "The two features involved are very useful in mapping, chat or password manager apps, so preventing their misuse will require users to trade convenience for security. This is as dangerous an attack as we could possibly describe."
Of most concern to Georgia Tech's researchers is that these permissions may be automatically included in legitimate apps from the Google Play store, meaning users do not need to explicitly grant permissions for the attack to succeed. Nearly 10% of the top 5,000 Android apps use the overlay feature, noted Fratantonio, and many are downloaded with the accessibility feature enabled.
The researchers tested a simulated attack on 20 users of Android mobile devices and found that none of them noticed the attack.
Georgia Tech researchers have disclosed the potential attack to Google, but noted that because the issue involves two common features that can be misused even when they behave as intended, the issue could be more difficult to resolve than ordinary operating system bugs.
"Changing a feature is not like fixing a bug," said Yanick Fratantonio, the paper's first author. "System designers will now have to think more about how seemingly unrelated features could interact. Features do not operate separately on the device."
Winston Bond, EMEA technical director at Arxan Technologies, noted in an email that the discovery demonstrates once again just how dangerous corrupted or malicious fake applications can be.
“Apps which have been broken into and reverse engineered are a crucial vector for delivering malware used to initiate these kinds of advanced attack methods, enabling the attacker to covertly mine sensitive data for extended periods of time,” he said. “Users have traditionally been told they will be safe as long as they only download apps from official sources and don’t pirate software, but we have increasingly seen cases of malicious apps being downloaded from within app stores or official websites.”
In other words, developers can no longer rely on the official app stores to protect their users.
“[Developers] need to proactively defend their software from criminals seeking to tamper with its code and turn it into a weapon,” Bond noted. “Defensive techniques such as code obfuscation and debugger detection, which will protect important code and shut the app down if it is tampered with, need to become standard practice as attackers find increasingly inventive ways to use apps as weapons.”
Android versions up to and including the current 7.1.2 are vulnerable to this attack, researchers said.