Called 'Cloak and Dagger', a new class of Android exploits may be one of the most dangerous yet. Discovered by researchers from UC Santa Barbara and Georgia Tech, this type of attack allows an attacker to add an invisible layer of UI on your screen, therefore allowing them to trick you into giving permissions you normally wouldn't or carry out all sorts of operations without your knowledge.
The exploit requires only two Android permissions: SYSTEM ALERT WINDOW ("draw on top") and BIND ACCESSIBILITY SERVICE ("a11y") and, of these, the first is provided automatically to all Play Store apps. The second can also be gained by tricking a user.
In a demo video, one of the researchers who discovered the exploit showcases installing an app that apparently plays a simple tutorial video and contains a few innocent prompts, but underneath, each apparently innocent popup, you're actually clicking on system prompts for granting the app a bevy of system privileges and a number of unauthorized operations are being carried out while you're supposedly just watching a video.
This would mean that not only could an attacker take remote access of your phone, unlike other similar attacks, you would also not be able to see any visual representation of any actions they were performing, with these instead, being masked by an added superficial layer of UI. Alongside remote control of your device, the exploit potentially allows attackers to log all your keystrokes as well.
The attack becomes even more sophisticated when your screen is turned off:
To make things worse, we noticed that the accessibility app can inject the events, unlock the phone, and interact with any other app while the phone screen remains off. That is, an attacker can perform a series of malicious operations with the screen completely off and, at the end, it can lock the phone back, leaving the user completely in the dark.
Thankfully, the researchers have already contacted Google, which claims that some of the recent changes to Android O should automatically prevent some of these issues from occurring, a claim the researchers believe could be credible and are currently testing. The company has also updated its Google Play Protect security tools to prevent such apps being installed on your device in the first place.