Combining 2 features opens Android devices to hacking
ATLANTA, Georgia: The malicious combination of two features leaves Android devices vulnerable to hacking.
These are two legitimate permissions power desirable and commonly-used features in popular apps, and the vulnerability has been dubbed by computer scientists at the Georgia Institute of Technology as “Cloak and Dagger.”
The vulnerability allows attackers to silently take control of a mobile device, overlaying the graphical interface with false information to hide malicious activities being performed underneath – such as capturing passwords or extracting the user’s contacts. A successful attack would require the user to first install a type of malware that could be hidden in a pirated game or other app.
Georgia Tech researchers have disclosed the potential attack to Google, maker of the Android system.
“In Cloak and Dagger, we identified two different Android features that when combined, allow an attacker to read, change or capture the data entered into popular mobile apps,” said Wenke Lee, a professor in Georgia Tech’s School of Computer Science and co-director of the Institute for Information Security & Privacy. “The two features involved are very useful in mapping, chat or password manager apps, so preventing their misuse will require users to trade convenience for security. This is as dangerous an attack as we could possibly describe.”
The first permission feature involved in the attack supports the use of devices by disabled persons, allowing inputs such as user name and password to be made by voice command, and allowing outputs such as a screen reader to help the disabled view content.
The second permission is an overlay or “draw on top” feature that produces a window on top of the device’s usual screen to display bubbles for a chat program or maps for a ride-sharing app.
When combined, it could allow attackers to draw a window that fools users into believing they are interacting with legitimate features of the app.
The malicious program, operating as the overlay, would then capture the user’s credentials for the malware author, while the accessibility permission would enter the credentials into the real app hidden beneath, allowing it to operate as expected, leaving the user with no clue that anything is awry.
The researchers tested a simulated attack on 20 users of Android mobile devices and found that none of them noticed the attack.— Galtech News
In Cloak and Dagger, we identified two different Android features that when combined, allow an attacker to read, change or capture the data entered into popular mobile apps. – Wenke Lee, a professor in Georgia Tech’s School of Computer Science