They’re calling it “Cloak and Dagger,” and it relies on the ability of apps to draw UI elements over the screen as a way of concealing from the user exactly what is being shown. In the example given, several prompts are displayed when a malicious app is opened. The user thinks they’re interacting with the app, but they’re actually enabling an accessibility service that can be used to log keystrokes, including passwords.
Then, the real magic happens. Here, the user is made to watch a video — all the while, in the background, the malware is flipping switches to grant itself a variety of other permissions, including the ability to read location, text messages, and storage.
Ironically, all apps downloaded through Google’s storefront can enable the two permissions necessary for the attack without the user’s knowledge. In other words, it’s on Google to detect the scheme before the app hits the Play Store. If it slips through, as some do from time to time, the only way the user could stop it is by digging into the apps menu and checking permissions granted.
One of the most dangerous aspects of the Cloak and Dagger scheme is that researchers say it can be used to record your PIN code to discreetly unlock your device and perform actions — without ever turning the screen on.
According to the researchers, the latest version of Android, release 7.1.2, modifies the way permissions are handled in a way that makes it slightly harder to carry out an attack like this one. However, it doesn’t fully solve the issue.
Google has since responded to the news, stating to Engadget that it has updated Google Play Protect, its security software on most Android devices, to detect the presence of harmful apps that abuse these permissions. The company also reports that changes it made in Android O will “further strengthen” the platform against Cloak and Dagger attacks.
