A new series of vulnerabilities in Android have been discovered by researchers at the University of California Santa Barbara and the Georgia Institute of Technology. Titled "Cloak & Dagger" this new class of vulnerabilities and attack vectors makes use of overlays and accessibility service permissions in Android. These services can potentially allow for a malicious application to perform unwanted actions, including collecting data input on the device and so-called "clickjacking." The latter term being when a user might believe they are performing one action, but another is occurring beneath a deceptive overlay.
The researchers first spoke to Google about the problem 9 months ago. Although some progress has been made, a number of the vulnerabilities are still present, even in the most recent version of Android 7.1.2 Nougat with the latest security updates. Unfortunately, that is partly by design. Some of the tools, like the SYSTEM_ALERT_WINDOW and BIND_ACCESSIBILITY_SERVICE that are being manipulated for the exploit, are required by some applications.
Accessibility services, like the one used by this exploit, often have to intercept things like keystrokes and input to function correctly. After all, people who are hard of hearing or visually impaired need augmented means to ensure that the content of a given input is correct. Some of these tools can't be drastically changed without also breaking how the associated accessibility services work for people that need them. That might make potential solutions somewhat difficult in the future.
Overlays have had security implications for a while now. A screen overlay detection notification was even added in Marshmallow, though it was removed in Nougat. As a result, it isn't super surprising that an issue like this could be a problem. Perhaps in the future, we'll see a return of the overlay notification. Overlays are used via the SYSTEM_ALERT_WINDOW which allows an application to draw over another foregrounded application. Normally you'd expect that to be used for things like a hovering indicator that stays on screen, or stuff similar to the old Facebook Chat Heads. Unfortunately, there are plenty of ways to abuse it.
Overlays don't just have to occur in portions of the screen, they can also masquerade as full-screen applications, which brings up the clickjacking problem. You might think you're using an innocuous app, but the interactive elements it presents could be performing subversive activities in the background. At least when an exploit is only using accessibility services, those services have to be explicitly enabled. If you get clickjacked those services can be toggled on in the background via input thought to be for another purpose. So when you tap to perform actions in the application, you are actually inputting past that layer below, and the app could be guiding you into settings to enable extra permissions or other nefarious acts. Any number of changes to the system can be made silently.
The same sort of overlay could also manifest itself invisibly. The researchers were able to gather input passed through the overlay in a grid to record information entered via software keyboard. With this, they were able to intercept and record information like typed text, including usernames and passwords.
At least in the meantime, Google has stated that Google Play Protect is able to detect and prevent the installation of applications that might try to use such exploits. So, perhaps right now we should be careful when it comes to installing applications from other sources or enabling their installation. Granted, that's good advice to follow at any time.
- Cloak and Dagger