The Cloak & Dagger exploit was discovered recently by a team from the Georgia Institute of Technology takes advantage of only two permissions that is actually automatically given if a malicious app was installed from the Play Store. This opens up most devices – even up to the latest Android 7.1.2 – to malicious attacks like clickjacking, keystroke recording, and a whole lot more.
The Cloak & Dagger exploit was discovered by Yanick Fratantonio, Chenxiong Qian, Simon Pak Ho Chung, and Wenke Lee, a team of researchers who found out that this exploit rides on two specific permissions – SYSTEM_ALERT_WINDOW and BIND_ACCESSIBILITY_SERVICE – so that they can use the features of drawing interactive elements over the user’s screen. From here, the users is lured unknowingly to clickjacking. To add to the concern, they can also record your keystrokes, steal your passwords, and get access to what secure accounts you log into via your phone.
Now, the fundamental nature of these features and permissions in Android points us to two things – one, that these exploitable features mean that the exploit can be done even on very new devices that run the latest and greatest Android Nougat release. Also, Google has been averse to “fixing” the issue because “limiting those services would render the device unusable”.
This means that at the very least, a re-think of these user interface elements would be in order, so that this exploit could not be used. Sadly, it might take a while for Google to realize that a re-think is needed. Check out the details of the exploit from the source link below.
SOURCE: Cloak and Dagger