Cloak and dagger – the app security threats hiding in plain sight

It’s rare to see a day go by without a new software vulnerability being discovered that can be exploited to attack users. Thankfully, one of the most recent threats was discovered by computer scientists at Georgia Institute of Technology in Atlanta rather than malicious black hats. The team discovered a flaw in the Android OS, going all the way up to the most recent version 7.1.2, which would enable attackers to control the UI feedback of the device and essentially take complete control, all without tipping off the user. 

The attack would actually exploit flaws in normal Android functions - the SYSTEM_ALERT_WINDOW ("draw on top") and BIND_ACCESSIBILITY_SERVICE ("a11y") functions. The “draw on top” function is used by apps such as messenger services to pop alerts up over the rest of the screen, while a11y can be used to steal PINs and passwords. When used in conjunction, attackers could essentially control and access anything on the device.

Making the exploit even more dangerous, the functions could be accessed by an app without the need for obviously malicious activity. This means that an app hiding malware that would exploit the Cloak and Dagger technique could make it through Google’s Play Store and be downloaded by an unsuspecting user who assumed it must be safe.

Again, thankfully the fatal exploit was discovered by benign researchers rather than as an opportunity for cyber criminal who might have spread it across the dark web. The team notified Google, who were quick to update the Play Store’s security procedures to detect apps hiding code that would trigger the exploit. 

Climbing the walled garden

However, there is every chance the next exploit of this power will fall into the wrong hands and be used to launch attacks before Google – or whichever publisher is next – is able to shut it down. The potential damage this stealthy attack vector could inflict also serves to highlight how dangerous corrupted and malicious fake applications can be.

Previously, apps loaded with malware have been restricted to unofficial sites and portals, generally frequented by users who have jailbroken their devices to remove safety restrictions and access more functionality. These sources are also sometimes used to access apps which have not yet, or will not be, launched in particular regions – something that was very common with last year’s summer smash, Pokémon Go.

Ordinarily this has made malicious apps something of a cautionary tale, with developers and publishers taking the stance that users who keep their device within its proper settings and only use trusted and approved app stores will be kept safe.

However, this “walled garden” has begun to crumble in recent years. The fact that an app exploiting Cloak and Dagger could make it through is almost as worrying as the “God Mode” it would grant attackers, but it is unfortunately not the only example and cracks have been appearing for some time. In late 2015 for example, it was discovered that a malware dubbed YiSpecter had been hiding in apps available through the Apple App Store in China and Taiwan for more than 10 months. 

How trusted apps are subverted

Of course, getting a malicious app through the walled garden is only half a victory for the criminals – they need victims to download it too. While packaging the payload in a generic mobile game or fitness app will undoubtedly snare some users, the best way to hit as many users as possible is to hijack a known brand. Pokémon Go once again served as an example here, with several apps purporting to be guides to the game harbouring malware. A more time consuming but even more dangerous strategy is to republish a fully functional but corrupted version of a popular app.

To pull this off, an attacker first needs to break into an application’s security and access its binary code. Mobile apps are particularly vulnerable to this, as once they are published, they are essentially out of the developer’s hands. Attackers can transfer them to a sandbox environment and bombard them with attacks until a way through their security is found – making it only a matter of time. Arxan’s research has also found that the majority of apps lack binary protection, including almost all of the top financial apps we have tested. 

By accessing and modifying the app’s binary code, criminals can change how it functions, from removing security controls and restrictions, to loading it with malware designed to target the device or other applications. In this instance, the attacker can create a clone of the target app which conceals malicious code. The app can then be republished – and if the malicious code is as stealthy as the Cloak and Dagger exploit, it can even appear in an authorised app store. 

Outside of the app portals used by OS, there have also been examples of this attack technique exploiting developer’s official websites. In May, an opensource video app, HandBrake, was covertly replaced with a corrupted copy hiding malware. One of the most prominent victims was another developer, Panic, which suffered the theft of source code for several of its own apps.

Taking control of security

Developers should take note of these developing new attack techniques and understand that they can no longer rely on the security checks of walled garden app stores to keep malicious fakes of their apps away from their customers. Instead, they need to take their security into their own hands and deploy measures to keep their code safe.

Perhaps the most effective combination for protecting binary code is to deploy both code obfuscation techniques and debugger detection measures side by side. Obfuscation will mean that any attackers who are able to break into the app will find a jumble of nonsensical code with very little way of identifying encryption keys and other important data needed to unpick and remake the app. Debugger detection meanwhile will have the app detect if it has been opened in a sandbox environment rather than a real mobile device – a sure sign that someone is attempting to tamper with it. Coupled with this, the app can contain hidden checksums that will detect if it has booted up with any alterations to its code. If anything unusual is detected, the app can refuse to open, and can potentially even alert the developer. 

By taking responsibility for their own security with these and other defensive measures, developers can rest assured they have done their best to protect their users from attacks. While attackers will continue to discover powerful new exploits that work around the stringent security measures of app stores, developers can help to make it far more difficult for the criminals to actually deploy these attacks successfully. 

Winston Bond, EMEA Technical Director, Arxan Technologies
Image Credit: ESB Professional / Shutterstock