The attack revolves around two functions, namely SYSTEM_ALERT_WINDOW and BIND_ACCESSIBILITY_SERVICE. If the application can gain both permissions, it can successfully complete this attack. SYSTEM_ALERT_WINDOW is a function which allows apps to display overlay screens for things like notifications. BIND_ACCESSIBILITY_SERVICE is a permission for accessibility services that allows tracking and querying of visual elements displayed on the phone. These permissions can be abused individually, or in tandem. The SYSTEM_ALERT_WINDOW permission lets an app draw overlays on top of other apps, and is widely used. When we download apps from Google Play that request the System Alert overlay permission, Android grants it automatically; no user approval is required. That means malicious apps asking for that permission can hide ill-intentioned activity behind innocuous-looking screens. This completes the first task of getting user permission without his or her knowledge. Once we have SYSTEM_ALERT_WINDOW permission, we can easily lure the user to perform three clicks to get the BIND_ACCESSIBILITY_SERVICE permission grant. This can be achieved by building a malicious application, embedding a video in it and using social engineering to convince the user into clicking and opening it. BIND_ACCESSIBILITY_SERVICE is a service which grants an application the user ability to discover UI objects displayed on the screen, query the content, and interact with them. These widgets make Android devices more accessible to disabled users. Because of the security implications, this permission must be enabled manually through a dedicated menu in the settings app. For example, the maliciously crafted application can request a permission the user must approve, but cover the request notification with another screen that asks for something innocent. This leaves a hole in the cover screen for the real “Ok” button for playing the video. This type of bait and switch is a known as click-jacking. When users grant this permission by clicking on the lured object, apps gain the ability to track objects across the screen, interact with them and even manipulate them. In most cases, these features are reserved for services that address physical and visual impairments. In the hands of a malicious app, they can be devastating. Once the attacker has user approval for the accessibility permission, the attacker can abuse it for types of keystroke logging, phishing and even stealthy installation of other malicious apps for deeper access to the victim system. There are essentially four basic attacks which can be performed once the two permissions are obtained. These are not the only available attack types; the number is subject to attacker’s imagination:

Attacker can modify what the user sees Attacker can control user input Attacker can choose what is currently displayed Attacker can steal all the data by installing a trojan or other malicious software

Below are a few different attack types with detailed steps.

  1. Clickjacking Overlay Attack This attack can be used to lure the user into granting the device administrator privilege. There are multiple malwares in the wild which can launch this attack. As depicted in the below image, the malware presents an “Installation is complete” dialog with a “Continue” button. This dialog, however, is actually a TYPE_SYTEM_OVERLAY window with the device administrator activation dialog sitting underneath. From the Android API documentation, TYPE_SYSTEM_OVERLAY is “system overlay windows, which need to be displayed on top of everything else” and “must not take input focus.” So, once the user clicks the “Continue” button, the click event is actually sent to the “Activate” button on the real device administrator activation window.

  2. Security PIN Stealing This attack is performed when the security screen pad generates accessibility events. Apps designed for accessibility app can see these even when the screen is locked.

  3. Phone Screen Unlocking Accessibility apps can also inject events while the phone is locked. If a secure lock screen is not used, an accessibility app can inject events to enter the PIN, unlock the phone and then do whatever it wants. All this can be done while the phone screen remains off.

  4. Silent App Installation This is the most lethal effect of this exploit. The initial malicious app (with only the two permissions) can contain within itself an APK for another app, which will request all permissions. It is possible to install this app while stealthily covering the screen with an on-top overlay. The installed app can be configured so that it does not appear in the launcher, and to have device admin privileges so that its uninstall button is disabled. Disguising it as a legitimate system app should complete the deception.

  5. Enabling All Permissions With the app installed as in the previous example, it is possible to automatically click and enable all the requested permissions while a full screen overlay is on top.

  6. Keystroke Inference Using this attack, it is possible even an app with only the SYSTEM_ALERT_WINDOW permission can learn what keys the victim touches on the onscreen keyboard, including any private messages and passwords. This works by creating several small transparent overlays, one on top of each key on the keyboard. The overlays don’t intercept any clicks, so these go to the underlying keyboard. The FLAG_WINDOW_IS_OBSCURED flag is set to “true” if a click event passed through a different overlay before reaching its destination. Combine this with the Motion Events and a careful stacking of overlays so each has a different Z-level, and you can tell based on the obscured flag which key was pressed.

  7. Keyboard App Hijacking This attack allows an attacker to seal the data which is entered by an victim via keyboard hijacking. Typically, when an app attempts to get the text of a password field, the getText method just returns an empty string. However, with BIND_ACCESSIBILITY_SERVICE permission, the keyboard app itself is treated as a normal unprivileged app, and each of the key widgets generates accessibility events through which all keystrokes can be recorded, including passwords.

  8. Targeted Password Stealing Accessibility service can be used to detect the application the victim just launched. By drawing a visible overlay that looks like the username and password EditText widgets and an overlay on top of the login button, an attacker can trick the victim in believing he is visiting an authentic server. However, once the credentials are entered and victim hits okay, the crafted overly sends this information to the attacker.

  9. 2FA Token Stealer Many of the well know IT giants like Google, Facebook and Twitter use 2FA tokens for verifying users or resetting user accounts. By using this attack, an attacker can take full control of the device and obtain full access to the text messages containing the reset token. Further any authenticator application which can be used for 2FA can also be controlled by the attacker using this technique.

  10. Ad Hijacking An accessibility app can figure out where and when ads are shown in an app. This draws an invisible overlay that sends clicks to an ad of the attacker’s choice, generating revenue.

Please Note: This article is for educational purposes only. We do not endorse the use of this information for malicious attacks. Sources

Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop, Georgia Tech Cloak & Dagger, Cloak & Dagger

Cloak and Dagger: A hole in Android, Kaspersky Lab

Cloak & Dagger is a newly-discovered Android exploit that lets hackers hide malicious activity, TechCrunch

Android is vulnerable to “Cloak and Dagger” attack, Latest Hacking News