Most malware requires some form of active user interaction in order to infect a device -- a click on free x rated moviesa link in a phishing email, or the installation of software from an unverified source.
But a new type of attack, dubbed Cloak and Dagger, can basically take over your Android phone without your (conscious) help. Worse, no major version of Android is safe at this time.
SEE ALSO: Whoops. Millions of Android phones are wide open to hackersDescribed by a team of researchers from the University of California and the Georgia Institute of Technology, Cloak and Dagger relies on the way Android UI handles certain permissions.
If an app is downloaded from Google's Play Store, researchers claim, it is automatically granted the SYSTEM_ALERT_WINDOW permission, aka "draw on top." You've likely seen this permission in action -- it's used by Facebook's chat heads, which float over other content on your screen.
This can be used to hijack the user's clicks and lure her into giving the app another permission, called BIND_ACCESSIBILITY_SERVICE or a11y, which can be used for stealing your passwords and pins, for example.
A hacker that combines both these vulnerabilities could silently install a "God-mode" app with all permissions enabled, including access to your messages and calls.
Even though a lot of this is intended behavior and not an actual exploit, it can definitely be used to take over someone's device. The researchers claim they tested it on 20 human subjects, none of which had realized what was going on.
The one thing that protects users right now is the fact that to do all this, the malicious app must be downloaded from Google's official Play Store, meaning that it has to pass Google's security checks. But from past examples we know it's definitely possible for malicious hackers to slip in a malware-infested app into Play Store.
"It is trivial to get such an app accepted on the Google Play Store."
"A quick experiment shows that it is trivial to get such an app accepted on the Google Play Store," the researchers claim. "We submitted an app requiring these two permissions and containing a non-obfuscated functionality to download and execute arbitrary code (attempting to simulate a clearly-malicious behavior): this app got approved after just a few hours (and it is still available on the Google Play Store)," they wrote.
While Google has partially fixed the issue in the latest version of Android (7.1.2), the researchers claim it's still fully possible to take advantage of the vulnerabilities described above. According to the researchers, these aren't "simple bugs" but "design-related issues," meaning it will take more time to fix them; moreover, Google considers some of these issues as features, and does not currently plan to fix them.
To protect their devices, the only thing users can do right now is check which apps have access to the "draw on top" and a11y permissions. The steps to do this vary in different versions of Android; they are listed here.
"We've been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect -- our security services on all Android devices with Google Play -- to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward," a Google spokesperson toldMashable.
Topics Android Cybersecurity
Today's Hurdle hints and answers for April 29, 2025
Happy Birthday, J. R. R. Tolkien by Sadie Stein
Louise Bourgeois, Untitled, 1994 by The Paris Review
Street Scene by Jiayang Fan
Best headphone deal: Take 22% off the Sonos Ace at Amazon
How to Get into College, Indiana Jones Edition by Sadie Stein
Oral Sadism and the Vegetarian Personality by Sadie Stein
And Everywhere That Mary Went by Sadie Stein
NYT Strands hints, answers for May 5
They Say It’s Wonderful: Hartman and Coltrane, an Appreciation by Matthew Kassel
Episode 4: The Wave of the Future
The Perfect Stocking Stuffer by Sadie Stein
Things Behind the Sun by Brian Cullman
Oral Sadism and the Vegetarian Personality by Sadie Stein
Exceptionally rare radio sources detected in the distant universe
Leo Tolstoy, Emerging Author, and Other News by Sadie Stein
How to be a Bureaucrat, and Other News by Sadie Stein
What We’re Loving: Comfort Reads, Evil Santas by The Paris Review
NYT mini crossword answers for May 9, 2025
A Printer Called Lethem, and Other News by Sadie Stein
Best Black Friday streaming addBest Black Friday iPad deal: Save $90 on Apple iPad (10th Gen)Best Black Friday deals at Best Buy: Sony earbuds gaming laptops, and more25+ best Bluetooth speaker deals ahead of Black FridayDoes 'Moana 2' have an endBest Black Friday streaming addShop early Black Friday deals on Kindle booksGame Pass Black Friday Deal: Save over $50 at AmazonBest Black Friday streaming addThree AI products that flopped in 2024NYT Connections hints and answers for November 28: Tips to solve 'Connections' #536.Early Black Friday 2Threads might adopt Bluesky’s starter packsNYT Connections Sports Edition hints and answers for November 28: Tips to solve Connections #66Early Black Friday keyboard deals for daily use and gamingThree AI products that flopped in 2024Target Black Friday Buy Two, Get One deal: Save on books, movies, and musicBest Black Friday deals that make great stocking stuffersBest early Black Friday deals: Save up to $1,900 at Samsung25+ best Black Friday beauty tech deals: Dyson, T3, Solawave DOJ wants the IP addresses of 1.3 million visitors to a Trump protest website Xbox Series X review: One small leap for one giant console Internet vigilantes are naming and shaming the Charlottesville white supremacists Barack Obama delivered a special message for Chance the Rapper and Chicago Spot the robot dog used by NYPD at crime scene Gaming chat app shuts down alt 'The Mandalorian' Season 2 premiere recap: "The Marshal" Very excited dad nails insane frisbee golf shot. Son doesn't care. MacBook Pro and Air with Apple's new chips are launching next week, report claims Male beauty blogger transforms into Emma Watson and it's uncanny Family finds a live scorpion inside their bananas Can you name the 3 branches of government? This meme offers up some, uh, creative answers. Sonic the Hedgehog is now a symbol of the anti Why the flood of misinformation in Pennsylvania is a huge problem Tesla's 'Full Self Mariah Carey kicks off the holiday season, those are the rules 'Baby Shark' is now the most watched YouTube video of all time Motorola changes Razr shipping to keep fingerprints off new phones 'Bachelor in Paradise' inadvertently joins the impeach Trump train Google cancels The Daily Stormer's domain registration just hours after GoDaddy warning
2.3849s , 10132.5 kb
Copyright © 2025 Powered by 【free x rated movies】,Evergreen Information Network