Report: Android UI design issues could secretly open up your phone to malicious attacks
A small team of security experts have recently exposed “design issues” in the Android UI, which, according to them, could be used by cybercriminals to imperceptibly steal passwords and personal data from smartphones running the latest Android 7.1.2 or earlier versions of the platform.
The experts describe a new technique called “Cloak & Dagger”, which makes it possible to turn a malicious app into an open, but well concealed door to your smartphone. It needs just two permissions to run: the first one enables the so-called “draw on top” feature used to, well, draw windows or other app elements on top of others, while the second, known as “a11y”, is meant to enable assistive interface features for users with disabilities. But once given, these permissions could allow hackers to pull off all kinds of tricks, such as registering every word you type, passwords included, or to install their own malicious apps with all permissions granted to get full control over the mobile device. Here is how such a stealth attack could look:
But not everything here is so scary as it might look. First, the Android UI vulnerabilities have been exposed by security experts, not hackers, and right now there are no known attacks or viruses that use the “Cloak & Dagger” exploit. Besides, all the relevant information is already presented to Google, so the giant is probably going to address the issue in its upcoming software developments. In fact, Google is already working on such security improvements intended to restrict apps from drawing over the system UI for its Android O platform.
And if you want to go the extra mile, permissions that are granted automatically can be fixed relatively easy. In Android 7.1.2, you can switch the "draw on top" permission off by opening "Settings> Apps> Settings (the Gear symbol) > Special acess> Draw over the apps". And you can check which apps require the “a11y” permission in “Settings> Accessibility> Services”.