Security News Cloak and Dagger Android Vulnerability is Supremely Dangerous

[Exterminator]

A new vulnerability for Android, dubbed Cloak and Dagger, has been discovered by the Georgia Institute of Technology. It makes it easier for bad actors to pass off trojanized apps as legitimate.

According to GIT, it results not from a traditional bug, but from the malicious combination of two legitimate permissions. These underpin commonly used features in popular apps. The first permission feature supports the use of devices by disabled persons, allowing inputs such as user name and password to be made by voice command, and allowing outputs such as a screen reader to help the disabled view content. The second is an overlay or “draw-on-top” feature that produces a window on top of the device's usual screen to display bubbles for a chat program or maps for a ride-sharing app.

The vulnerability would allow attackers to use a trojanized app to silently take control of a mobile device. From there, the bad actors can overlay the graphical interface with false information, while malicious activities go on underneath, like capturing passwords or extracting the user's contacts.

"In Cloak and Dagger, we identified two different Android features that when combined, allow an attacker to read, change or capture the data entered into popular mobile apps," said Wenke Lee, a professor in Georgia Tech's School of Computer Science and co-director of the Institute for Information Security & Privacy, in a release on the research. "The two features involved are very useful in mapping, chat or password manager apps, so preventing their misuse will require users to trade convenience for security. This is as dangerous an attack as we could possibly describe."

Of most concern to Georgia Tech's researchers is that these permissions may be automatically included in legitimate apps from the Google Play store, meaning users do not need to explicitly grant permissions for the attack to succeed. Nearly 10% of the top 5,000 Android apps use the overlay feature, noted Fratantonio, and many are downloaded with the accessibility feature enabled.

The researchers tested a simulated attack on 20 users of Android mobile devices and found that none of them noticed the attack.

Georgia Tech researchers have disclosed the potential attack to Google, but noted that because the issue involves two common features that can be misused even when they behave as intended, the issue could be more difficult to resolve than ordinary operating system bugs.

"Changing a feature is not like fixing a bug," said Yanick Fratantonio, the paper's first author. "System designers will now have to think more about how seemingly unrelated features could interact. Features do not operate separately on the device."

Winston Bond, EMEA technical director at Arxan Technologies, noted in an email that the discovery demonstrates once again just how dangerous corrupted or malicious fake applications can be.

“Apps which have been broken into and reverse engineered are a crucial vector for delivering malware used to initiate these kinds of advanced attack methods, enabling the attacker to covertly mine sensitive data for extended periods of time,” he said. “Users have traditionally been told they will be safe as long as they only download apps from official sources and don’t pirate software, but we have increasingly seen cases of malicious apps being downloaded from within app stores or official websites.”

In other words, developers can no longer rely on the official app stores to protect their users.

“[Developers] need to proactively defend their software from criminals seeking to tamper with its code and turn it into a weapon,” Bond noted. “Defensive techniques such as code obfuscation and debugger detection, which will protect important code and shut the app down if it is tampered with, need to become standard practice as attackers find increasingly inventive ways to use apps as weapons.”

Android versions up to and including the current 7.1.2 are vulnerable to this attack, researchers said.

 

[Exterminator]

 

[frogboy]

At least I have no phones to worry about. And I mean o phones.

 

[oneeye]

Hi all,

Having loaded all my user names and passwords into Keepass 2 for Android, password manager, with its built-in keyboard, it allows me to load those things without typing or copy pasting. But for simple online accounts, I allow my browsers to auto-load them. Even though I'm better protected on Android 7.0, there is always the chance I could make a mistake and end up with some malicious app, that could still affect me. Better safe than sorry, and now, finally, I have a safe backup of all my passwords. If you are not using a password manager, then you really need to consider one soon. Keepass is open source, free, and available for all platforms.

 

[soccer97]

At this point, it is not just apps. Someone I know had ransomware on their patched and up to date (well, the most recent carrier version) - It was behind 2-3 months on 'Security update levels' from Google and Samsung.

It comes back to the using good internet habits. Now if there were only a principle of least privilege........

It was a drive-by attack. Likely because they accidently clicked a banner ad within an app or website. I saw it and yelled "Stop don't press that button!".

I eventually noticed how often ESET Mobile Security for Android was updating databases. As of lunchtime on May 31/2017 - There have been 279 virus definition updates just for Android devices. 17 definitions have been released just today. See source below. Each definition update has between 1-4 or 5 signatures. That is an estimate of 1000 viruses solely on Android platforms for the first 5 months of 2017.

Time for resident AV. With ads in almost every app - Malvertising, and some drive-by/compromised sites are a real threat, in addition to apps.

Source: ESET Virusradar site: Information about versions of ESET Virus detection database

Now, I should probably renew, ha. (This post is vendor neutral) - the point was to demonstrate the ever increasing threat landscape of Android devices - even though they are running on Linux. Part of it is due to the fragmentation of the Android ecosystem and the delay in updates from manufacturer, to carrier, to the end user.

___________________________________________________________________________________
How to check if your Android device has the latest software update (what is offered from the carrier or directly from Google).

See your carrier or device manufacturer's website to learn how to check for updates. It is generally Settings > About Device > Check for Updates.

Also, Settings > System Updates, Check for updates.

For security policies > Settings > Security > Security Policy Updates > Check for updates.

I personally recommend checking the box "Send security reports" - as this helps the manufacturer (or is supposed to) be aware of any vulns or exploits that your phone may experience.

 

[ravi prakash saini]

whatever it is but I like the name cloak and dagger. waiting for hidden Dragon crouching tiger vulnerability