Android Overlay and Accessibility Features Leave Millions at Risk

Researchers warn two features, not flaws, in Android can be used together to open devices up to attack.

University researchers are warning that two features, not flaws, core to Google’s Android mobile operating system can be used together to launch clickjacking attacks to gain control of a target’s phone.

The discovery was made by researchers at Georgia Institute of Technology, who call the research Cloak and Dagger. It involves two Android features and permissions called System Alert Window and Bind Accessibility Service.

“If a malicious app is installed from the Play Store, the user is not notified about the permissions and she does not need to explicitly grant them for the attacks to succeed,” wrote researchers in a paper (PDF) scheduled to be presented today at the IEEE Security and Privacy Symposium in San Jose, Calif.

The research builds off previous research published earlier in the month by Check Point Software Technologies that identified what it described as permission flaws in the way Android handled System Alert Window overlays.

“We have taken the Check Point research a step further and combined it with Bind Accessibility Services to create a worst case scenario for users,” said Wenke Lee, a professor in Georgia Tech’s School of Computer Science and co-director of the Institute for Information Security and Privacy, in an interview with Threatpost.

The attack involves first coaxing a target to install an app that uses Android’s overlay feature. Overlays are common in apps such as Facebook’s Messenger that that uses overlays to pop-up Chat Head alerts indicating a new message has been received.

When installing apps that use this System Alert Window feature, Google does not require users to grant permission for access to the feature. That allows rogue app developers to develop desirable apps that include the overlay functionality without users knowing it.

Next, users are tricked using misleading overlays to enable the Bind Accessibility Service.

“The (overlay) allows an app to draw overlays on top of other apps, while the (accessibility feature)  grants an app the ability to discover UI widgets displayed on the screen, query the content of these widgets, and interact with them programmatically, all as a means to make Android devices more accessible to users with disabilities,” wrote researchers in their report.

Similar research was presented by Skycure at this year’s RSA Conference. Skycure described its attack scenario as an Accessibility Clickjacking Exploit.

Lee argues that the Cloak and Dagger attack differs. “Google has made small changes in the way it implements overlay and accessibility features to make these attacks unfeasible. But when we disclosed our research to Google, it said the attacks were still not feasible in the real world. Our research shows it is,” he said.

When Georgia Tech tested a simulated Cloak and Dagger attack on 20 Android users, none of them were aware their devices were being hacked, according to the report.

Drawing further distinctions from prior research, Lee said the Cloak and Dagger attack is reliant on both the System Alert Window and Bind Accessibility Service.

“With only System Alert Window permission, the attacker can modify what the user sees, but cannot anticipate how/when the user reacts to the modified display, and thus fails to change the modified displayed content accordingly,” wrote researchers. “With only Bind Accessibility Service permission, the attacker can inject fake user inputs, but the attacker cannot prevent the user from seeing the results of these fake inputs displayed on the screen.”

An attacker needs permissions for both services to avoid detection, researcher said. “The synergy of the two permissions allows an attacker to both modify what the user sees and inject fake input, all while maintaining the expected ‘user experience’ and remaining stealthy,” they said.

As for Google, it said it will not address the issue with a patch, but will modify how it handles overlays in its upcoming release of Android O, expected later this year. At Google I/O last week, Android security team members said in Android O, System Alert overlays will include visual notifications that can be clicked on to remove the overlay.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.