October 2017 Knowledge Knugget

Cloak and Dagger

Mobile malware continues to plague end users and their phones. Palo Alto Networks security experts have discovered an attack that takes advantage of Android’s overlay system. The attack takes control of the User Interface’s (UI) feedback loop hiding malicious activity from the user. The overlay is able to cover any underlying screen with a fake visual to the user. By drawing on top of other windows, users can be tricked into giving permissions, access, or opting in to a service the user is not aware of. The attack, dubbed Cloak and Dagger, changes what the victim sees. The Toast overlay allows messages to pop up and be displayed over running applications. For example, when the user receives a text message, the information is typically displayed on top of whatever application the user is currently using.

Through the overlay attack, the user can be tricked into giving a malicious app administrator permissions on the device. With these permissions, the application will have the ability to launch attacks on the phone that can include:

  • Preventing the user from uninstalling the malicious application
  • Wiping the user’s data from the device
  • Locking the device preventing the user from accessing it
  • Changing the device’s PIN

The vulnerability Cloak and Dagger leverages was patched by Google on September 5, 2017. However, many devices won’t receive the update until the device manufacturer and/or phone service provider releases the patch in the company’s updates which can be severely delayed.

Brian Sudduth
Lab and Training Coordinator
Cyber Security Institute