New attacks allow malicious app to completely control UI feedback loop and take over your device.
First, the good news: this particular attack is somewhat theoretical at this point, since the good guys were the ones who discovered it. The bad news, though, is manifold. Anyone with the right know-how can infect virtually any Android device, and it will steal data without you ever noticing it.
Researchers at Georgia Tech discovered Cloak and Dagger, and according to their findings, “these attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified.”
Third-party apps blamed
Android’s various branded and third-party app stores have long been blamed for an abundance of malicious content hiding in plain sight as downloads, something that Apple fans have typically avoided due to the company’s strict requirements. In this case, specific categories of downloads containing the malicious code don’t even require user permissions, something that too many smartphone users already take for granted.
100% strike rate
How effective is Cloak and Dagger? According to the limited test trial the researchers conducted, 100%! While their sample size was only 20 Android users, all of them remained completely unaware while the team compromised their devices. The processes they were able to remotely carry out include “advanced clickjacking attack, unconstrained keystroke recording, stealthy phishing attack, silent installation of a God-mode app (with all permissions enabled), silent phone unlocking and arbitrary actions (while keeping the screen off),” and more. For a complete list of the functions that the researchers were able to enact as well as the list of Android versions that are known to be affected, see the more detailed report here.