Cloak and Dagger - From Two Permissions to Complete Control of the UI Feedback Loop

  • This is a talk from 2017 about clickjacking + other UI attacks on Android.

  • Went through a bunch of attacks really quickly so I sort of lost track, but here are some highlights:

    • All play store apps receive the DRAW_ON_TOP permission, which lets you draw overlays over other apps.

    • A hole in the overlay allows the user to click “OK” on a permission without realizing they’re doing it.

      2020-04-16.00.28.55.png 2020-04-16.00.29.06.png

    • They then use this technique to get the user to grant a11y permissions (what a screenreader would use, for example), and this lets you do things like read passwords off the keyboard, read TOTPs from authenticator apps, and even read a user’s PIN when they’re entering it.

    • Worse, the malicious app can then use the PIN to unlock the phone while the screen is switched off, change the PIN, set up a ransomware message, and shut down the phone, locking the user out. :scream:

  • The rest of the talk was about their disclosure timeline and how Google (and possibly the industry in general) was dismissive because these are “just” UI attacks. They published a paper that got a lot of press, which put more pressure on Google. As of the date of the talk (2017-09-02), these issues are not fixed.

  • I wonder what this looks like on current versions of Android; are any of these attacks still around?

Edit