Yanick Fratantonio
Description: This site hosts material and references on our research on Cloak and Dagger, new Android UI attacks
Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified. Our user study indicates that these attacks are practical. These attacks affect
We uncover a series of vulnerabilities and design shortcomings affecting the Android UI. These attacks abuse one or both of the SYSTEM_ALERT_WINDOW ("draw on top") and BIND_ACCESSIBILITY_SERVICE ("a11y"). If the malicious app is installed from the Play Store, the user is not notified about the permissions and she does not need to explicitly grant them for the attacks to succeed. In fact, in this scenario, "draw on top" is automatically granted, and this permission is enough to lure the user into unknowingly
Attacks that abuse the “draw on top” permission: Context-aware clickjacking & Context hiding : two techniques that make luring the user to enable the accessibility service practical, even when the latest security mechanisms (e.g., "obscured flag") are correctly implemented and enabled. (Note: others have identified ways to use clickjacking to get a11y. See "FAQ" below.) Invisible Grid Attack , allowing unconstrained keystroke recording, including password, private messages, etc. Attacks that abuse “accessib
Yanick Fratantonio