Cloak and Dagger : New Vulnerability for Android

Cloak & Dagger is a new vulnerability that has recently been discovered by scientist at the Georgia Institute of Technology in Atlanta.

Cloak & Dagger is a new class of potential attacks affecting all the Android devices keeping in mind only few devices are running on android nougat even after a year of launch. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified. Our user study indicates that these attacks are practical. These attacks affect all recent versions of Android (including the latest version, Android 7.1.2), and they are yet to be fixed.

“Cloak and dagger” is a new kind of attack vector affecting Android devices (including the latest version, 7.1.2). “Attacks allow a malicious app to completely control the UI feedback loop and take over the device – without giving the user a chance to notice the malicious activity,” according to the researchers.


The attacks would abuse one or both of the SYSTEM_ALERT_WINDOW (“draw on top”) and BIND_ACCESSIBILITY_SERVICE (“a11y”) functions. If the malicious app is installed from the Play Store, the user is not notified about permissions. No explicit permission needs to be granted for the attacks to succeed. It’s not a traditional bug but rather the malicious combinations of two legitimate permissions in popular apps. Attacks including capturing passwords or extracting contacts might be possible, according to Georgia Tech team.

Data source provided by Cloak&Dagger refer this site for more information.

List of Attacks

Attacks that abuse the “draw on top” permission:

  • Context-aware click jackingContext hiding: two techniques that make luring the user to enable the accessibility service practical, even when the latest security mechanisms (e.g., “obscured flag”) are correctly implemented and enabled. (Note: others have identified ways to use click jacking to get a11y. 
  • Invisible Grid Attack, allowing unconstrained keystroke recording, including password, private messages, etc.

Attacks that abuse “accessibility service” permission:

  • Unconstrained keystroke recording, including passwords. According to the documentation, this should not be possible.
  • Security PIN stealing without informing the user.
  • Device unlock through PIN injection + perform arbitrary actions while keeping the screen off! That makes it a big security flaw.
  • Stealing two-factor authentication tokens (SMS-based, Google Authenticator, and other app-based tokens)
  • Ad hijacking
  • Web exploration

Attacks that abuse both permissions:

  • Silent installation of God-mode app (with all permissions enabled)
  • Stealthy phishing (for which the user finds herself logged in, as she would expect)

Risks arise largely from malicious code within pirated apps. The attack method has been reported to Google.

Winston Bond, EMEA technical director at application security outfit Arxan Technologies, commented: “The discovery of the latest ‘cloak and dagger’ threat facing Android devices demonstrates just how dangerous corrupted or malicious fake applications can be.

“Users have traditionally been told they will be safe as long as they only download apps from official sources and don’t pirate software, but we have increasingly seen cases of malicious apps being downloaded from within app stores or official websites.

“Developers can no longer rely on the ‘walled garden’ approach of app stores to protect their users from malicious copies of their apps, and need to proactively defend their software from criminals seeking to tamper with its code and turn it into a weapon.”

So it is now recommended to download app from play store only if the developer is a reputed one.

Back to Top