All Android Phones Vulnerable to Extremely Dangerous Full Device Takeover Attack

Researchers have discovered a new attack, dubbed 'Cloak and Dagger', that works against all versions of Android, up to version 7.1.2.

Cloak and Dagger attack allows hackers to silently take full control of your device and steal private data, including keystrokes, chats, device PIN, online account passwords, OTP passcode, and contacts.

What's interesting about Cloak and Dagger attack?

The attack doesn't exploit any vulnerability in Android ecosystem; instead, it abuses a pair of legitimate app permissions that is being widely used in popular applications to access certain features on an Android device.

Researchers at Georgia Institute of Technology have discovered this attack, who successfully performed it on 20 people and none of them were able to detect any malicious activity.

Cloak and Dagger attacks utilise two basic Android permissions:

  • SYSTEM_ALERT_WINDOW ("draw on top")
  • BIND_ACCESSIBILITY_SERVICE ("a11y")

The first permission, known as "draw on top," is a legitimate overlay feature that allows apps to overlap on a device's screen and top of other apps.
The second permission, known as "a11y," is designed to help disabled, blind and visually impaired users, allowing them to enter inputs using voice commands, or listen content using screen reader feature.


Scary Things Hackers Can Do to Your Android (Demo)


Since the attack does not require any malicious code to perform the trojanized tasks, it becomes easier for hackers to develop and submit a malicious app to Google Play Store without detection.

Unfortunately, it’s a known fact that the security mechanisms used by Google are not enough to keep all malware out of its app market.

If you are following regular security updates from The Hacker News, you must be better aware of frequent headlines like, "hundreds of apps infected with adware targeting play store users," and "ransomware apps found on play store."

Just last month, researchers uncovered several Android apps masqueraded as an innocent "Funny Videos" app on Play Store with over 5,000 downloads but distributed the 'BankBot banking Trojan' that steal victims' banking passwords.

Here's what the researchers explained how they got on the Google Play Store to perform Cloak & Dagger attacks:
"In particular, we submitted an app requiring these two permissions and containing a non-obfuscated functionality to download and execute arbitrary code (attempting to simulate a clearly malicious behavior): this app got approved after just a few hours (and it is still available on the Google Play Store)." researchers say.
Once installed, the researchers say the attacker can perform various malicious activities including:

  • Advanced clickjacking attack
  • Unconstrained keystroke recording
  • Stealthy phishing attack
  • Silent installation of a God-mode app (with all permissions enabled)
  • Silent phone unlocking and arbitrary actions (while keeping the screen off)

In short, the attackers can secretly take over your Android device and spy on your every activity you do on your phone.

No comments

News Images

News Images
TECH NEWS
Powered by Blogger.