“Cloak and dagger” new attack struck, can abuse legal authority to take any version of Android device

According to foreign media reported on the 25th, security researchers recently discovereda new type of attack means Cloak and Dagger (“cloak and dagger”), allowing hackers to completely control any version of the Android device (including the latest version 7.1.2), steal private sensitive Data, including keystrokes and chat logs, device PIN, online account password, OTP dynamic password and contacts contact information.


Interestingly, this attack does not exploit any vulnerability in the Android ecosystem, but rather abuse some of the features on Android devices that are legally used by popular apps. Cloak and Dagger mainly use the two basic Android system permissions:

  1. SYSTEM_ALERT_WINDOW (“draw on top”): A legal override feature that allows an application to overwrite other applications on the Android device screen.
  1. BIND_ACCESSIBILITY_SERVICE (“a11y”): help people with disabilities and visually impaired users through the voice command to enter information or use the screen reading function to listen to the event content.

Since Cloak and Dagger do not need to use any malicious code to execute Trojans, hackers can easily develop and submit malicious applications and are not easily found by Google Store. It is reported that hackers can install malicious applications after the implementation of a variety of operations, including advanced hijacking attacks, unlimited access keystroke record, stealth phishing attacks, quietly installed to obtain all the authority to operate God-mode applications, State to unlock the phone for any operation.


In short, hackers can take over the user’s Android device and monitor every move on the device. At present, although the researchers have disclosed to Google the means of attack, but because of such problems from the Android operating system design flaws and involves the normal operation of the two standard functions, so the problem probably can not solve the problem. The security expert recommends that users always download the app from the Google Play store and check the permissions settings carefully before installing the app.