Cloak & Dagger: From Two Android Permissions to Complete Control of the UI Feedback Loop

Abstract

Although the two Android permissions -- SYSTEM_ALERT_WINDOW and BIND_ACCESSIBILITY_SERVICE -- have been separately abused to create redressing attacks and accessibility attacks, these previous cyberattacks never could completely control the user interface (UI) feedback loop. (They either relied on vanishing side-channels to time the appearance of overlay UI, could not respond properly to user input, or made the attacks literally visible.) In this work, we demonstrate how combining the capabilities of these permissions can create a devastating and stealthy new cyberattack on Android devices that grants the adversary complete control of the UI feedback loop. In particular, we demonstrate how an app with the above permissions can launch a variety of powerful attacks -- ranging from stealing user’s login credentials and security PIN, to the silent installation of a God-like app with all permissions enabled. To make things even worse, we found that the SYSTEM_ALERT_WINDOW permission is automatically granted for apps installed from the Play Store and, even though the BIND_ACCESSIBILITY_SERVICE is not automatically granted, our experiment shows that it is very easy to lure users to unknowingly grant that permission. As such, a user may never notice that a malicious app installed on his/her device is using these two permissions, and thus never suspects the app of carrying out the Cloak & Dagger attack. We also found that it is simple and straightforward to get a proof-of-concept app that allows both permissions into the official Android store. We evaluated the practicality of these attacks by performing a user study: none of the 20 human subjects that took part of the experiment even suspected they had been attacked. We conclude with a number of observations and best-practices that can help Google app developers to better secure the Android graphical user interface.