Newly Discovered Android Exploit 'Cloak and Dagger' Lets Hackers Hide Malicious Activity

An exploit that affects Android devices has been discovered. Dubbed Cloak and Dagger, the attack is able to disguise a hacker’s activity behind a number of innocuous-looking screens that allow the malicious behavior to go undetected.

The attack was first discovered by Yanick Fratantonio, Chenxiong Qian, Simon Pak Ho Chung and Wenke Lee — researchers at the Georgia Institute of Technology — who were able to create a proof of concept attack.

Read: Android Malware Rising: 350 New Infected Apps Appear Every Hour, Says New Report

In a report published by the researchers, the group detailed how it was able to create a piece of malicious software that effectively creates an invisible grid that mirrors the Android screen and captures every action a user performs, including typing on the on-screen keyboard.

“The possible attacks include advanced clickjacking, unconstrained keystroke recording, stealthy phishing, the silent installation of a God-mode app [with all permissions enabled], and silent phone unlocking [and] arbitrary actions [while keeping the screen off],” the researchers wrote.

The group called Cloak and Dagger “a new class of potential attacks” that can target Android devices. The attacks require only two permissions from the user. Were a malicious app using Cloak and Dagger to be downloaded from the Google Play Store it would not require the user to explicitly approve those permissions because they are automatically granted.

In a demonstration of how the attack works, the researchers showed how they were able to create interactive user interface elements that appear to be part of an actual app.

In one case, the group created a password form that appeared as though it was part of the Facebook app. Once a user entered the password, the form would disappear but the attacker would know what the user typed.

Read: FalseGuide Android Malware: More Than 600,000 Phones Turned Into Money-Generating Botnet

Cloak and Dagger was first discovered by the researchers last August. The proof of concept published Thursday shows the attack can be carried out on all recent versions of Android, including the latest version, Android 7.1.2. The exploit that enables the attack is yet to be fixed, the group said.

”We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer,” Google said in response to the discovery.

“We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward.”

Users who are concerned about Cloak and Dagger-style attacks are advised not to download unknown or untrusted applications.

It is possible to defeat the attacks by denying the permissions required to carry them out. This can be done by turning off the “draw on top” permission by going into Settings, opening the Apps menu, tapping the Gear symbol, opening “Special access” and unchecking the “Draw over other apps” option.

Article originally published on

Join the Discussion