Latest in Gear

Image credit: Jan Persiel/Flickr

Android exploit adds secret, thieving layers to your phone

Google is aware of the issue.
880 Shares
Share
Tweet
Share
Save

Sponsored Links

Jan Persiel/Flickr

Researchers from UC Santa Barbara and Georgia Tech have discovered a fresh class of Android attacks, called Cloak and Dagger, that can operate secretly on a phone, allowing hackers to log keystrokes, install software and otherwise control a device without alerting its owner. Cloak and Dagger exploits take advantage of the Android UI, and they require just two permissions to get rolling: SYSTEM ALERT WINDOW ("draw on top") and BIND ACCESSIBILITY SERVICE ("a11y").

This concerns researchers because Android automatically grants the draw-on-top permission for any app downloaded from the Play Store, and once a hacker is in, it's possible to trick someone into granting the a11y permission. A Cloak and Dagger-enabled app hides a layer of malicious activity under seemingly harmless visuals, luring users to click on unseen buttons and keystroke loggers.

"To make things worse, we noticed that the accessibility app can inject the events, unlock the phone, and interact with any other app while the phone screen remains off," the researchers write. "That is, an attacker can perform a series of malicious operations with the screen completely off and, at the end, it can lock the phone back, leaving the user completely in the dark."

Google is aware of the exploit.

"We've been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer," a spokesperson says. "We have updated Google Play Protect -- our security services on all Android devices with Google Play -- to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues, moving forward."

One of the researchers, Yanick Fratantonio, tells TechCrunch the recent updates to Android O might address Cloak and Dagger, and the team will test it out and update its website accordingly. For now, he says, don't download random apps and keep an eye on those permissions.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
880 Shares
Share
Tweet
Share
Save

Popular on Engadget

The best mobile devices for students

The best mobile devices for students

View
YouTube pulls hundreds of channels tied to Hong Kong influence campaign

YouTube pulls hundreds of channels tied to Hong Kong influence campaign

View
'Fortnite' finally nerfs the hated B.R.U.T.E. mechs

'Fortnite' finally nerfs the hated B.R.U.T.E. mechs

View
After a year of Epic Games exclusivity, ‘Hades’ heads to Steam Early Access

After a year of Epic Games exclusivity, ‘Hades’ heads to Steam Early Access

View
Porsche streamlines the Taycan EV’s infotainment system

Porsche streamlines the Taycan EV’s infotainment system

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr