您的当前位置:首页 >知識 >【】TopicsAndroidCybersecurity 正文
时间:2026-07-07 21:33:34 来源:网络整理编辑:知識
Most malware requires some form of active user interaction in order to infect a device -- a click on
Most malware requires some form of active user interaction in order to infect a device -- a click on a link in a phishing email, or the installation of software from an unverified source.。
But a new type of attack, dubbed Cloak and Dagger, can basically take over your Android phone without your (conscious) help. Worse, no major version of Android is safe at this time. 。
SEE ALSO:Whoops. Millions of Android phones are wide open to hackers。Described by a team of researchers from the University of California and the Georgia Institute of Technology, Cloak and Dagger relies on the way Android UI handles certain permissions. 。
If an app is downloaded from Google's Play Store, researchers claim, it is automatically granted the SYSTEM_ALERT_WINDOW permission, aka "draw on top." You've likely seen this permission in action -- it's used by Facebook's chat heads, which float over other content on your screen.。

This can be used to hijack the user's clicks and lure her into giving the app another permission, called BIND_ACCESSIBILITY_SERVICE or a11y, which can be used for stealing your passwords and pins, for example.。
Thanks for signing up! 。
A hacker that combines both these vulnerabilities could silently install a "God-mode" app with all permissions enabled, including access to your messages and calls. 。
Even though a lot of this is intended behavior and not an actual exploit, it can definitely be used to take over someone's device. The researchers claim they tested it on 20 human subjects, none of which had realized what was going on. 。
The one thing that protects users right now is the fact that to do all this, the malicious app must be downloaded from Google's official Play Store, meaning that it has to pass Google's security checks. But from past examples we know it's definitely possible for malicious hackers to slip in a malware-infested app into Play Store. 。
"It is trivial to get such an app accepted on the Google Play Store." 。
"A quick experiment shows that it is trivial to get such an app accepted on the Google Play Store," the researchers claim. "We submitted an app requiring these two permissions and containing a non-obfuscated functionality to download and execute arbitrary code (attempting to simulate a clearly-malicious behavior): this app got approved after just a few hours (and it is still available on the Google Play Store)," they wrote.。
While Google has partially fixed the issue in the latest version of Android (7.1.2), the researchers claim it's still fully possible to take advantage of the vulnerabilities described above. According to the researchers, these aren't "simple bugs" but "design-related issues," meaning it will take more time to fix them; moreover, Google considers some of these issues as features, and does not currently plan to fix them. 。
To protect their devices, the only thing users can do right now is check which apps have access to the "draw on top" and a11y permissions. The steps to do this vary in different versions of Android; they are listed here. 。"We've been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect -- our security services on all Android devices with Google Play -- to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward," a Google spokesperson told。
Mashable. 。
There's a big piece of fake chicken stuck to this phone case2026-07-07 21:29
熱刺前瞻 :孫興慜缺陣 凱恩帶隊衝擊歐會杯小組首勝2026-07-07 21:05
奧斯卡或至少缺席足協杯前3輪 海港衝擊冠軍難度大大增加2026-07-07 21:01
國足備戰球員苦練累到說不出話 熱身敘利亞很有價值2026-07-07 20:58
This company is hiring someone just to drink all day2026-07-07 20:53
韓喬生:巴黎過於豪華難以操作 MNM一個也沒踢出來2026-07-07 20:37
阿克:父親在我歐冠破門幾分鍾後去世 這粒進球獻給他2026-07-07 19:55
巴薩官宣鋒線絕對主力手術成功 2021年或提前報銷2026-07-07 19:44
Teacher absolutely nails it with new homework policy2026-07-07 19:36
熱刺前瞻:孫興慜缺陣 凱恩帶隊衝擊歐會杯小組首勝2026-07-07 19:08
You will love/hate Cards Against Humanity's new fortune cookies2026-07-07 21:19
曼城VS萊比錫 :進球大戰場麵精彩 藍月防線存隱患2026-07-07 20:24
京媒 :虛假傳聞打破國足寧靜 不愛中國足球請別禍害它2026-07-07 20:15
巴薩VS拜仁 :後梅西時代的痛 紅藍還能刷新下限 ?2026-07-07 19:52
Early Apple2026-07-07 19:48
皇馬兩妖星連線獻絕殺閃耀梅阿查 安切洛蒂神換人2026-07-07 19:39
國米VS皇馬 :庫爾圖瓦開掛 安切洛蒂神換人定乾坤2026-07-07 19:33
越南隊長:中國和阿曼都很強 目標取得比前兩輪更好的結果2026-07-07 19:28
Airbnb activates disaster response site for Louisiana flooding2026-07-07 19:27
津門虎啟程赴濟南將踢三場熱身賽 維吉諾維奇亮相2026-07-07 19:25