CybersecurityCombination of features creates new android vulnerability
A new vulnerability affecting Android mobile devices results not from a traditional bug, but from the malicious combination of two legitimate permissions that power desirable and commonly-used features in popular apps. The combination could result in a new class of attacks, which has been dubbed “Cloak and Dagger.”
A new vulnerability affecting Android mobile devices results not from a traditional bug, but from the malicious combination of two legitimate permissions that power desirable and commonly-used features in popular apps. The combination could result in a new class of attacks, which has been dubbed “Cloak and Dagger.”
The vulnerability, which was identified and tested in closed environments by computer scientists at the Georgia Institute of Technology, would allow attackers to silently take control of a mobile device, overlaying the graphical interface with false information to hide malicious activities being performed underneath – such as capturing passwords or extracting the user’s contacts. A successful attack would require the user to first install a type of malware that could be hidden in a pirated game or other app.
Georgia Tech researchers have disclosed the potential attack to Google, maker of the Android system, and details of the vulnerability are being presented this week at the 38th IEEE Symposium on Security and Privacy in San Jose, California. But because it involves two common features that can be misused even when they behave as intended, the issue could be more difficult to resolve than ordinary operating system bugs.
“In Cloak and Dagger, we identified two different Android features that when combined, allow an attacker to read, change or capture the data entered into popular mobile apps,” said Wenke Lee, a professor in Georgia Tech’s School of Computer Science and co-director of the Institute for Information Security & Privacy. “The two features involved are very useful in mapping, chat or password manager apps, so preventing their misuse will require users to trade convenience for security. This is as dangerous an attack as we could possibly describe.”
The research was sponsored by the National Science Foundation (NSF), Office of Naval Research (ONR) and the Defense Advanced Research Projects Agency (DARPA).
Georgia Tech says that the first permission feature involved in the attack, known as “BIND_ACCESSIBILITY_SERVICE,” supports the use of devices by disabled persons, allowing inputs such as user name and password to be made by voice command, and allowing outputs such as a screen reader to help the disabled view content. The second permission, known as “SYSTEM_ALERT_WINDOW,” is an overlay or “draw on top” feature that produces a window on top of the device’s usual screen to display bubbles for a chat program or maps for a ride-sharing app.
