The image above illustrates just one attack vector, clickjacking – where the user thinks they are okaying one thing while invisibly okaying something else. For illustrative purposes, the researchers have made the real action visible behind the overlay, but in real use (seen in the video below) the permission box would be invisible to the user …
These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified. Our user study indicates that these attacks are practical. These attacks affect all recent versions of Android (including the latest version, Android 7.1.2), and they are yet to be fixed.
The researchers from UC Santa Barbara and Georgia Tech disclosed their detailed findings to Google. Engadget reports a Google spokesperson stating that an update prevents the installation of the apps.
We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect — our security services on all Android devices with Google Play — to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues, moving forward.
However, the researcher say that Google’s fix is only a partial one.
Google implemented a partial fix (only on Android 7.1.2): “on top” overlays do not appear anymore whenever an app’s permission list is shown. However, this is only used for “normal” permissions, and not for “special” permissions, such as “draw on top” and a11y. This is problematic: since the “clickjacking → a11y” is still possible, a malicious app can use the “Phone Unlocking (while keeping the screen off) attack” to enable these permissions while keeping the screen off, thus making the silent installation of a God-mode app still practical.
The team says that all the attacks described remain practical.