Security researchers have discovered a major new vulnerability in Android that could let hackers steal your passwords and hijack your phone.
After carrying out proof of concept attacks, researchers from Georgia Institute of Technology said the vulnerability affects all versions of Android up to and including Nougat version 7.1.2.
Using the exploit, dubbed Cloak & Dagger, hackers can take control of your smartphone and steal private data, even recording keystrokes, PINs, private messages, account passwords and contacts.
Worst of all is that there appears to be little Google or anyone else can do to prevent hackers using the exploit to wreak havoc on your device.
This is due to the way the attack is carried out.
Rather than exploiting a particular vulnerability, hackers target the permissions that are used in legitimate apps to access specific features on an Android device.
The first permission targeted by the hackers is known as “Draw on Top”, which allows apps to overlap on top of other apps.
The security researchers demonstrated an attack targeting this permission by creating an overlay which looks identical to a Facebook login page. If you failed to spot the page was a fake you would be unwittingly entering your login details in a page controlled by the hackers.
In another example, the researchers created an overlay which was able to sit on top of the Android keyboard and recorded everything you typed.
“If the malicious app is installed from the Play Store, the user is not notified about the permissions and she does not need to explicitly grant them for the attacks to succeed. In fact, in this scenario, ‘draw on top’ is automatically granted,” the researchers said.
“Most of these attacks are due to design issues, and they are thus challenging to prevent. In fact, one may say that some of these functionality work “as intended”; Nonetheless, this work shows that this functionality can be abused.
To date, all these attacks are still practical.”
In response, Google said: “We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer.”
We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward.”
The security researchers have set up cloak-and-dagger.org which provides more info on the exploit and on which versions of Android are most at risk.
One way users can protect themselves is by turning off the ‘Draw on Top’ app permission, which you can do by going to Settings > Apps > Gear symbol > Special access > Draw over other apps.
As always, only make sure you download apps from the Google Play Store to further reduce the risk of downloading viruses or malware to your Android device.
You should also pay close attention to the permissions being requested by an app before you download it. If the app is asking for access for things it shouldn’t, don’t install. For example, there is no reason why a flashlight app should require access to your microphone or contacts.
H/T Hacker News