• Login
    View Item 
    •   SMARTech Home
    • Institute for Information Security & Privacy (IISP)
    • Institute for Information Security & Privacy Cybersecurity Lecture Series
    • View Item
    •   SMARTech Home
    • Institute for Information Security & Privacy (IISP)
    • Institute for Information Security & Privacy Cybersecurity Lecture Series
    • View Item
    JavaScript is disabled for your browser. Some features of this site may not work without it.

    Cloak & Dagger: From Two Android Permissions to Complete Control of the UI Feedback Loop

    Thumbnail
    View/Open
    fratantonio.mp4 (325.6Mb)
    fratantonio_videostream.html (985bytes)
    Date
    2017-04-07
    Author
    Fratantonio, Yanick
    Metadata
    Show full item record
    Abstract
    Although the two Android permissions -- SYSTEM_ALERT_WINDOW and BIND_ACCESSIBILITY_SERVICE -- have been separately abused to create redressing attacks and accessibility attacks, these previous cyberattacks never could completely control the user interface (UI) feedback loop. (They either relied on vanishing side-channels to time the appearance of overlay UI, could not respond properly to user input, or made the attacks literally visible.) In this work, we demonstrate how combining the capabilities of these permissions can create a devastating and stealthy new cyberattack on Android devices that grants the adversary complete control of the UI feedback loop. In particular, we demonstrate how an app with the above permissions can launch a variety of powerful attacks -- ranging from stealing user’s login credentials and security PIN, to the silent installation of a God-like app with all permissions enabled. To make things even worse, we found that the SYSTEM_ALERT_WINDOW permission is automatically granted for apps installed from the Play Store and, even though the BIND_ACCESSIBILITY_SERVICE is not automatically granted, our experiment shows that it is very easy to lure users to unknowingly grant that permission. As such, a user may never notice that a malicious app installed on his/her device is using these two permissions, and thus never suspects the app of carrying out the Cloak & Dagger attack. We also found that it is simple and straightforward to get a proof-of-concept app that allows both permissions into the official Android store. We evaluated the practicality of these attacks by performing a user study: none of the 20 human subjects that took part of the experiment even suspected they had been attacked. We conclude with a number of observations and best-practices that can help Google app developers to better secure the Android graphical user interface.
    URI
    http://hdl.handle.net/1853/58130
    Collections
    • Institute for Information Security & Privacy Cybersecurity Lecture Series [149]

    Browse

    All of SMARTechCommunities & CollectionsDatesAuthorsTitlesSubjectsTypesThis CollectionDatesAuthorsTitlesSubjectsTypes

    My SMARTech

    Login

    Statistics

    View Usage StatisticsView Google Analytics Statistics
    facebook instagram twitter youtube
    • My Account
    • Contact us
    • Directory
    • Campus Map
    • Support/Give
    • Library Accessibility
      • About SMARTech
      • SMARTech Terms of Use
    Georgia Tech Library266 4th Street NW, Atlanta, GA 30332
    404.894.4500
    • Emergency Information
    • Legal and Privacy Information
    • Human Trafficking Notice
    • Accessibility
    • Accountability
    • Accreditation
    • Employment
    © 2020 Georgia Institute of Technology