Report: Android UI design issues could secretly open up your phone to malicious attacks
A small team of security experts have recently exposed “design issues” in the Android UI, which, according to them, could be used by cybercriminals to imperceptibly steal passwords and personal data from smartphones running the latest Android 7.1.2 or earlier versions of the platform.
The experts describe a new technique called “Cloak & Dagger”, which makes it possible to turn a malicious app into an open, but well concealed door to your smartphone. It needs just two permissions to run: the first one enables the so-called “draw on top” feature used to, well, draw windows or other app elements on top of others, while the second, known as “a11y”, is meant to enable assistive interface features for users with disabilities. But once given, these permissions could allow hackers to pull off all kinds of tricks, such as registering every word you type, passwords included, or to install their own malicious apps with all permissions granted to get full control over the mobile device. Here is how such a stealth attack could look:
What makes this hack work is the fact that these two particular permissions are treated differently from the more traditional ones, such as Location or Wi-Fi usage. The user is not asked if they want to allow either of them. Instead, the “draw on top” permission is granted automatically to the app that requires it. Such an app, for instance, is Facebook Messenger, which needs to cover other apps when ChatHeads are enabled. This can be further exploited to obtain access to the “a11y” permission without the user's knowledge.
But not everything here is so scary as it might look. First, the Android UI vulnerabilities have been exposed by security experts, not hackers, and right now there are no known attacks or viruses that use the “Cloak & Dagger” exploit. Besides, all the relevant information is already presented to Google, so the giant is probably going to address the issue in its upcoming software developments. In fact, Google is already working on such security improvements intended to restrict apps from drawing over the system UI for its Android O platform.
And in the end, you do not have reasons to worry too much about “Cloak & Dagger” attacks if you are cautious when installing Android apps. As the rules of thumb go, always download your apps from trusted developers on Google Play and read the reviews before the installation.
And if you want to go the extra mile, permissions that are granted automatically can be fixed relatively easy. In Android 7.1.2, you can switch the "draw on top" permission off by opening "Settings> Apps> Settings (the Gear symbol) > Special acess> Draw over the apps". And you can check which apps require the “a11y” permission in “Settings> Accessibility> Services”.