Security researchers have found out a set of Android vulnerabilities, which let hackers take full control of your device even if it is locked or switched off. The name of the attack is Cloak and Dagger
The hackers bug the images and permissions that are accepted by users by pressing "okay" - thinking that they are permitting just one action - but by tapping on OK, they actually allow other activity on their device. The security researchers have posted a dummy image to show the hidden permission box behind the overlay. However, the real attack only shows the fake message instead of the real one.
Explaining Android vulnerabilities, researchers said:
These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified. Our user study indicates that these attacks are practical. These attacks affect all recent versions of Android (including the latest version, Android 7.1.2), and they are yet to be fixed.
The security researchers from UC Santa Barbara and Georgia Tech have revealed their finding to Google. After knowing about the vulnerabilities, Google told Engadget that it had pushed an update to Google Play Protect to shield the users.
Apparently, Cloak and Dagger takes advantage of Android OS and it just requires two permissions to take control of your device - SYSTEM ALERT WINDOW ("draw on top") and BIND ACCESSIBILITY SERVICE ("a11y").
Here is a complete statement by Google:
We've been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect -- our security services on all Android devices with Google Play -- to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues, moving forward.
Interestingly, the researchers believe that the security update from Google is not a permanent fix for the vulnerabilities. The team of researchers says that Google's update for Play Protect is a partial fix and is limited to Android 7.1.2.
Google implemented a partial fix (only on Android 7.1.2): “on top” overlays do not appear anymore whenever an app’s permission list is shown. However, this is only used for “normal” permissions, and not for “special” permissions, such as “draw on top” and a11y. This is problematic: since the “clickjacking → a11y” is still possible, a malicious app can use the “Phone Unlocking (while keeping the screen off) attack” to enable these permissions while keeping the screen off, thus making the silent installation of a God-mode app still practical.
The researchers say that the latest updated for Android O could address the Cloak and Dagger attack. Until then, it would be better for Android users to refrain from downloading apps from untrusted sources and also keep a check on permissions box popping up on their device's screen. Recently, there has been a steep rise in the volume of hack attacks. It is advisable to use your devices carefully to protect yourself from hackers.