Report: Android UI design issues could secretly open up your phone to malicious attacks

Report: Android UI design issues could secretly open up your phone to malicious attacks
Being the most popular smartphone OS worldwide, it is no surprise that Android is provoking great interest among hackers. That is why Google is constantly striving to improve the security of Android-based smartphones by monthly software updates that cure known bugs and security holes. But it is not always just the errors in the code to blame for vulnerabilities – it appears that some deliberate features of the Android user interface can also put mobile devices at risk.

A small team of security experts have recently exposed “design issues” in the Android UI, which, according to them, could be used by cybercriminals to imperceptibly steal passwords and personal data from smartphones running the latest Android 7.1.2 or earlier versions of the platform.

The experts describe a new technique called “Cloak & Dagger”, which makes it possible to turn a malicious app into an open, but well concealed door to your smartphone. It needs just two permissions to run: the first one enables the so-called “draw on top” feature used to, well, draw windows or other app elements on top of others, while the second, known as “a11y”, is meant to enable assistive interface features for users with disabilities. But once given, these permissions could allow hackers to pull off all kinds of tricks, such as registering every word you type, passwords included, or to install their own malicious apps with all permissions granted to get full control over the mobile device. Here is how such a stealth attack could look:



What makes this hack work is the fact that these two particular permissions are treated differently from the more traditional ones, such as Location or Wi-Fi usage. The user is not asked if they want to allow either of them. Instead, the “draw on top” permission is granted automatically to the app that requires it. Such an app, for instance, is Facebook Messenger, which needs to cover other apps when ChatHeads are enabled. This can be further exploited to obtain access to the “a11y” permission without the user's knowledge.

But not everything here is so scary as it might look. First, the Android UI vulnerabilities have been exposed by security experts, not hackers, and right now there are no known attacks or viruses that use the “Cloak & Dagger” exploit. Besides, all the relevant information is already presented to Google, so the giant is probably going to address the issue in its upcoming software developments. In fact, Google is already working on such security improvements intended to restrict apps from drawing over the system UI for its Android O platform.

And in the end, you do not have reasons to worry too much about “Cloak & Dagger” attacks if you are cautious when installing Android apps. As the rules of thumb go, always download your apps from trusted developers on Google Play and read the reviews before the installation. 

And if you want to go the extra mile, permissions that are granted automatically can be fixed relatively easy. In Android 7.1.2, you can switch the "draw on top" permission off by opening "Settings> Apps> Settings (the Gear symbol) > Special acess> Draw over the apps". And you can check which apps require the “a11y” permission in “Settings> Accessibility> Services”.

If you want to know all the details about the “Cloak & Dagger” exploit, you can check out the specially designed website linked below.

source: Cloak&Dagger via Android Community

FEATURED VIDEO

24 Comments

1. Zylam

Posts: 1816; Member since: Oct 20, 2010

It's alrite, we'll get Tizen soon and it will be the most secure OS on the planet with the best UI.

3. Mellow

Posts: 19; Member since: Mar 27, 2017

"It may be the worst code I’ve ever seen.Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software...You can update a Tizen system with any malicious code you want." -from PhoneArena'a previous article about Tizen OS security flaws exposed by Israel security researcher.

14. umaru-chan

Posts: 358; Member since: Apr 27, 2017

100% sure zylam was being sarcastic. Tizen is the worst OS there is regardless of what samsung fanboys tell in the comment section. Regarding the UI design issues, I wouldn't be surprised to hear that samsung has the weakest UI security in the android world.

4. Gustavoar

Posts: 22; Member since: Jan 13, 2016

@Zylam don't be so naive. There are already reports that Tizen has lots of vulnerabilities because of poor security measures used by Samsung. There aren't exploits right now because its marketshare is practically non existent.

5. mikehunta727 unregistered

Lol pretty sure zylam was being purely sarcastic

9. Podrick

Posts: 1285; Member since: Aug 19, 2015

Yeah, they didn't get it. Maybe because non-regular PA readers don't know Zylam being a Samsung hater.

7. peace247 unregistered

been using Android for past 6 years... never had any problem.

2. AmashAziz

Posts: 2923; Member since: Jun 30, 2014

Listen peeps, both iOS and Android got issues, OK? Let's end this debate here.

8. Podrick

Posts: 1285; Member since: Aug 19, 2015

"Listen peeps" Read that as "Listen sheeps" for a moment haha.

10. Flash

Posts: 1972; Member since: May 19, 2017

But the android fans will never admit that. They are too busy crying foul on Apple articles.

11. TechieXP1969

Posts: 14967; Member since: Sep 25, 2013

We dont dont need to admit the obvioud. But iOS fans lie about the obvious and duck and dodge th3 obvious. All software is buggy. No matter what vugs yku gix there will still be plenty. Not all bugs can be exploited so they may never get fixed. The onky reason this id ever a debate is because people are idiots. All software have at least 1 vug. How many is not even relevant, because no matter how many are foumd, many never will be. But its the iFans who talk about software perfect as if rhey have such.

12. MDCHO

Posts: 769; Member since: Jul 28, 2016

Just like you are always too busy crying and trolling Android and BlackBerry article, mxyzptlk. Now watch you respond saying that I am someone else to try and deflect from truth of you being mxyzptlk using fake account.

18. sissy246

Posts: 7111; Member since: Mar 04, 2015

Exactly.....

21. NoToFanboys

Posts: 3231; Member since: Oct 03, 2015

Wait for his classic 1 liners. "You're a hypocrite" (ironic since he's the biggest hypocrite in this site) Or "You are wrong", basically he tells that to anyone who is not an Apple fan.

24. MDCHO

Posts: 769; Member since: Jul 28, 2016

@NoToFanboys Lol lol lol. You are correct. He now use another one of his cheap one liner: "don't deny the truth." He is the only one that deny anything.

22. Flash

Posts: 1972; Member since: May 19, 2017

Meanestgenius, don't you deny the truth.

23. MDCHO

Posts: 769; Member since: Jul 28, 2016

Lol lol lol. See? I predict what this troll will do and say. He is too obvious with his method.

17. sissy246

Posts: 7111; Member since: Mar 04, 2015

OMG it goes both ways. Apple fans don't like to admit it either.

6. buccob

Posts: 2968; Member since: Jun 19, 2012

This vulnerability has been known at least since Lollipop. That was the main reason why Sony dropped Small Apps on their recent phones... an otherwise very great way to multitask on compact devices. Google started advising against the use of app over apps... and instead resorted to split view multitasking. I do miss small apps on my XZ since it was a very fast way to get me a calculator.... and I also used certain floating widgets on top of my navigation map (music, big clock) for easy access. However split screen has mitigated some of that lost functionality, and the fast performance of the XZ makes up for the rest.

20. cnour

Posts: 2305; Member since: Sep 11, 2014

Sorry but t what is new in this article? We all know that Android is not secure and will remain.

* Some comments have been hidden, because they don't meet the discussions rules.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.