Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop
- This is a talk from 2017 about clickjacking + other UI attacks on Android.
- Went through a bunch of attacks really quickly so I sort of lost track, but here are some highlights:
All play store apps receive the
DRAW_ON_TOP
permission, which lets you draw overlays over other apps.A hole in the overlay allows the user to click “OK” on a permission without realizing they’re doing it.
They then use this technique to get the user to grant a11y permissions (what a screenreader would use, for example), and this lets you do things like read passwords off the keyboard, read TOTPs from authenticator apps, and even read a user’s PIN when they’re entering it.
Worse, the malicious app can then use the PIN to unlock the phone while the screen is switched off, change the PIN, set up a ransomware message, and shut down the phone, locking the user out. :scream:
- The rest of the talk was about their disclosure timeline and how Google (and possibly the industry in general) was dismissive because these are “just” UI attacks. They published a paper that got a lot of press, which put more pressure on Google. As of the date of the talk (2017-09-02), these issues are not fixed.
- I wonder what this looks like on current versions of Android; are any of these attacks still around?