Cloak and Dagger Subterfuge


If you haven’t become concerned about putting off patching and reviewing user permissions in the wake of wanna cry and eternalrocks, then perhaps you should reexamine your risk assessment and management model.

Patches of any kind are always inconvenient especially if you are of any size or distribution of forces. Critical patches are even worse, since they throw off any regular scheduling that allows you to handle the load — inviting heroic efforts to make sure they get done and major load of irritation for any one impacted by it. That’s one of the big hurdles that contribute to patches just not getting done except on the regular cycle — if at all. Often, updating gets put off for one reason or another until something breaks or goes nuclear. Examining permissions on a regular basis is just as bad, if not worse, given it’s not a true widget to check on most security lists. While you might do some housekeeping to police up lingering permissions when people depart your company, the intersection of people moving departments or gaining and losing access to programs as their jobs morph and change tend to fall off the radar of normal business life.

So, let me introduce another reason for you to take patching (even if you are behind) a bit more seriously.

If you use an Android then you know it’s a fun mix of awesome and, “what were they thinking…” all in one. The design and security choices made by Google are … eclectic at times. Take the discoveries popularized on the site cloak and dagger . The site outlines a class of attacks called “cloak and dagger”. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. The crux of the attacks is exploiting design choices made by Google to leverage how access to the a11y power privilege. Exploiting this privilege allows for a series of attacks to occur, such as PIN setaling, clickjacking, and silent installation of God-mode app.

I’d suggest digging into the cloak and dagger site more to get a better picture of this class of attacks. If you use Android, staying up to date is just step one. I’ve noted the recommendations from their site below.  It’s as much staying up to date as it is apply the proper permissions and then to enforce them as you add and subtract apps to your Android device.

Android 7.1.2:
— “draw on top” permission: Settings → Apps → “Gear symbol” (top-right) → Special access → Draw over other apps.
— a11y: Settings → Accessibility → Services: check which apps require a11y.
Android 6.0.1:
— “draw on top” permission: Settings → Apps → “Gear symbol” (top-right) → Draw over other apps.
— a11y: Settings → Accessibility → Services: check which apps require a11y.
Android 5.1.1:
— “draw on top” permission: Settings → Apps → click on individual app and look for “draw over other apps”
— a11y: Settings → Accessibility → Services: check which apps require a11y.

The cloak and dagger website references this blog post from skycure as a source reference to their own research. If you are are like me and like to follow the train of thought back to its beginnings, it’s a good start. That blog post in turn has even more links that trail back to RSA. Enjoy the read.


If you’d like to learn more with Monty St John, explore the cybersecurity world at

About the author

Monty St John

Monty is a security professional with more than two decades of experience in threat intelligence, digital forensics, malware analytics, quality services, software engineering, development, IT/informatics, project management and training. He is an ISO 17025 laboratory auditor and assessor, reviewing and auditing 40+ laboratories. Monty is also a game designer and publisher who has authored more than 24 products and 35 editorial works.