New Android exploit lets hackers steal passwords with hidden on-screen tricks

In one case, they created an overlay that looks exactly like the Facebook app’s password entry field

Aatif Sulleyman
Friday 26 May 2017 18:14
Comments
The exploit affects multiple versions of Android
The exploit affects multiple versions of Android

Researchers have discovered a new exploit that could let hackers secretly hijack your phone while you’re using it.

They successfully carried out proof of concept attacks on multiple versions of Android, up to the 7.1.2 build of Nougat.

Using the exploit, criminals can trick you into tapping buttons you can’t see, as well as record everything you do on your phone and collect important information, such as your passwords and PINs, without you even noticing.

Called Cloak and Dagger, it takes advantage of two permissions on the Android operating system: SYSTEM_ALERT_WINDOW (“draw on top”) and BIND_ACCESSIBILITY_SERVICE (“a11y”).

The “draw on top” permission lets apps display their content over other apps.

The research team, from UC Santa Barbara and Georgia Tech, took advantage of this functionality by building interactive overlays designed to look exactly like popular programs you wouldn’t usually think twice about entering your login details into.

In one case, they created an overlay that looks exactly like the Facebook app’s password entry field. If you failed to spot it, as many users would, you’d end up feeding your password directly to criminals.

In another instance, they created an invisible overlay that sat on top of the Android keyboard, which would be able to record every single thing you type.

“If the malicious app is installed from the Play Store, the user is not notified about the permissions and she does not need to explicitly grant them for the attacks to succeed. In fact, in this scenario, ‘draw on top’ is automatically granted,” the researchers say.

“Most of these attacks are due to design issues, and they are thus challenging to prevent. In fact, one may say that some of these functionality work "as intended"; Nonetheless, this work shows that this functionality can be abused.

To date, all these attacks are still practical.”

To protect yourself, you can check which applications have access to the "draw on top" and a11y permissions. The Cloak and Dagger researchers have compiled a list of instructions, which users on different versions of Android can follow.

“We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer,” said Google.

“We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward.”

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in