Cloak and Dagger Android Exploit: Steals Password and Logs Keystrokes

Researchers at Georgia Institute of Technology and University of California, Santa Barbara, have released a report stating several vulnerabilities found with Android Lollipop, Marshmallow and Nougat operating systems.

Pexels Photo 404280

According to the researchers, malicious apps have the capability to exploit two permissions on the Play Store — the ‘draw on top’ and ‘accessibility service’.

Users might be attacked using either one of these vulnerabilities or both of them. The attacker can clickjack, record keystrokes, steal security PIN of the device, insert adware into the device and also steam two-factor authentication tokens.

Also Read: 5 Tips to Prevent Your Android Device from Getting Hit by Ransomware.

“Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device, without giving the user a chance to notice the malicious activity,” the researchers noted.

This Vulnerability Had Been Exposed Earlier Too

Earlier this month, we had reported about a similar unfixed vulnerability in the Android operating system which would use the ‘System_Alert_Window’ permission used to ‘draw on top’.


Earlier, this permission — System_Alert_Window — had to be manually granted by the user, but with the advent of apps like Facebook Messenger and others which use on-screen pop-ups, Google grants it by default.

Although the vulnerability, if exploited, can lead to a full-fledged ransomware or adware attack, it won’t be easy for a hacker to initiate.

This permission is responsible for 74% of ransomware, 57% of adware and 14% of banker malware attacks on Android devices.

All the apps that you download from the Play Store are scanned for malicious codes and macros. So, the attacker will have to circumvent Google’s inbuilt security system to gain entry into the app store.

Google recently also updated its mobile operating system with an additional layer of security that scans through all the apps that are being downloaded onto the device via the Play Store.

Is Using Android Safe Right Now?

Malicious apps that are downloaded from the Play Store gain the two aforementioned permissions automatically, which allows an attacker to harm your device in the following ways:

  • Invisible Grid Attack: The attacker draws over an invisible overlay onto the device, allowing them to log keystrokes.
  • Stealing PIN of the device and operating it in the background even when the screen is switched off.
  • Injecting adware into the device.
  • Exploring the web and phishing stealthily.

The researchers contacted Google about the vulnerabilities found and have confirmed that although the company has implemented fixes, they aren’t fool-proof.

Android Attack

The update disables overlays, which prevents the invisible grid attack, but Clickjacking is still a possibility as these permissions can be unlocked by a malicious app using the phone unlocking method even when the screen is turned off.

The Google keyboard has also received an update which doesn’t prevent keystroke logging but ensures that passwords aren’t leaked as whenever inputting value into a password field, now the keyboard logs passwords as a ‘dot’ instead of the actual character.

But there is a way around this too which can be exploited by the attackers.

“Since it’s possible to enumerate the widgets and their hashcodes which are designed to be pseudo-unique, the hashcodes are enough to determine which keyboard’s button was actually clicked by the user,” the researchers pointed out.

Also Read: 13 Cool Upcoming Android Features Unveiled by Google.

All the vulnerabilities that the research has found out are still prone to an attack even though the latest version of Android received a security patch on May 5.

The researchers submitted an app to the Google Play Store which required the two aforementioned permissions and clearly showed malicious intent, but it got approved and is still available on the Play Store. This goes to show that the Play Store security isn’t really functioning all that well.

What’s the Best Bet to Stay Safe?

Checking and disabling both these permissions manually for any untrusted app that has access to either one or both of them is the best bet

This is how you can check which apps have access to these two ‘special’ permissions on your device.

  • Android Nougat: “draw on top” – Settings –> Apps –> ‘Gear symbol (top-right) –> Special access –> Draw over other apps
    ‘a11y’: Settings –> Accessibility –> Services: check which apps require a11y.
  • Android Marshmallow:  “draw on top” – Settings –> Apps –> “Gear symbol” (top-right) –> Draw over other apps.
    a11y: Settings → Accessibility → Services: check which apps require a11y.
  • Android Lollipop:“draw on top” –  Settings –> Apps –> click on individual app and look for “draw over other apps”
    a11y: Settings –> Accessibility –> Services: check which apps require a11y.

Google will be providing further security updates to resolve the issues found by the researchers.

Also Read: Here is How to Remove Ransomware From Your Phone.

While several of these vulnerabilities will be fixed by the following updates, issues surrounding the ‘draw on top’ permission are there to stay until Android O is released.

Security risks on the internet are growing at a massive scale and currently, the only way to protect your device is to install a trusted antivirus software and being a vigilante.

Last updated on 03 February, 2022

The above article may contain affiliate links which help support Guiding Tech. However, it does not affect our editorial integrity. The content remains unbiased and authentic.