Georgia Tech researchers discover combination of Android features that makes the OS vulnerable

Researchers from the Georgia Tech university have discovered an Android vulnerability that cannot be easily fixed. The vulnerability is not a bug in the software, or a hole that can be patched. Instead, the vulnerability originates from a combination of features in the operating system, which makes it far more difficult to fix than a conventional security update. The vulnerability could lead to a new class of malicious strikes, which the researchers have dubbed as "Cloak and Dagger" attacks.

Wenke Lee, a professor in Georgia Tech’s School of Computer Science, says "In Cloak and Dagger, we identified two different Android features that when combined, allow an attacker to read, change or capture the data entered into popular mobile apps. The two features involved are very useful in mapping, chat or password manager apps, so preventing their misuse will require users to trade convenience for security. This is as dangerous an attack as we could possibly describe."

The attack is based on two features of the OS. One feature allows applications to draw over other apps, used by chat apps, ride sharing apps and screen records. This functionality provides the "cloak". The other is an accessibility feature that allows for voice inputs instead of text, and this feature acts as the "dagger". Used together, an application can masquerade as another, and steal sensitive data from a user such as banking details or passwords. The researchers tested the attack on 20 Android users, and none of them were able to detect that the device had been compromised.

The finding shows that software developers have to figure out all the ways that the features in an operating system can interact with each other, and if this interaction opens up any security holes. For users to be safe from such attacks, the researchers advise that users verify the sources of the applications, and download only trusted applications. Android versions up to and including 7.1.2 are vulnerable to the attack.

Published Date: May 23, 2017 17:08 PM | Updated Date: May 23, 2017 17:08 PM