Combination of features creates new android vulnerability

When combined in a malicious way, “SYSTEM_ALERT_WINDOW” acts as a cloak, while “BIND_ACCESSIBILITY_SERVICE” serves as the dagger. The two could allow attackers to draw a window that fools users into believing they are interacting with legitimate features of the app. The malicious program, operating as the overlay, would then capture the user’s credentials for the malware author, while the accessibility permission would enter the credentials into the real app hidden beneath, allowing it to operate as expected, leaving the user with no clue that anything is awry.

The researchers tested a simulated attack on twenty users of Android mobile devices and found that none of them noticed the attack.

Of most concern to Georgia Tech’s researchers is that these permissions may be automatically included in legitimate apps from the Google Play store, meaning users do not need to explicitly grant permissions for the attack to succeed. 

“This is a design flaw that some might say allows the app functionality to work as intended, but our research shows that it can be misused,” said Yanick Fratantonio, the paper’s first author and a Georgia Tech Ph.D. summer intern from the University of California Santa Barbara. “Once the phone is compromised, there may be no way for the user to understand what has happened.”

Nearly 10 percent of the top 5,000 Android apps use the overlay feature, noted Fratantonio, and many are downloaded with the accessibility feature enabled. 

While both permissions have been used separately as user-interface redressing attacks and “a11y attacks,” previous research did not examine what happens when they are combined, noted Simon P. Chung, a research scientist at Georgia Tech’s School of Computer Science and one of the study’s co-authors.

Creating vulnerabilities when permissions are combined may be a reality that system developers will have to consider more seriously in the future, Fratantonio said. “Changing a feature is not like fixing a bug,” he explained. “System designers will now have to think more about how seemingly unrelated features could interact. Features do not operate separately on the device.”

Android versions up to and including the current 7.1.2 are vulnerable to this attack. The researchers caution that it may be difficult to determine the status of the settings required for the attack.

There are two key precautions, Lee and Fratantonio agree. One is to avoid downloading apps from providers other than branded outlets such as the Google Play store. A second step is to check the permission requests that apps make before allowing them to operate.

“Users need to be careful about the permissions that new apps request,” said Lee. “If there are very broad permissions, or the permissions don’t seem to match what the app is promising to do, you need to be sure you really need that app.”

The researchers have produced a video that shows the attack and how to check these permissions, which are in different locations depending on the mobile operating system version.

“Apps from name-brand sources such as Facebook, Uber and Skype should be okay,” said Lee. “But with a random game or free versions of paid apps that you might download, you should be very careful. These features are very powerful and can be abused to do anything you could do as a user – without you knowing.”

In addition to the researchers already mentioned, the project also included Chenxiong Qian from Georgia Tech. 

— Read more in Yanick Fratantonio, et al., “Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop,” 38th IEEE Security and Privacy Symposium (22-24 May 2017)