Do you like downloading and trying a wide range Android games and apps? You may want to rethink that habit, or at least proceed with caution. A newly disclosed Android vulnerability means miscreants can use apparently harmless apps to fool you into giving them "permission" to take control of your phone or tablet and watch everything you do with it.

Researchers at UC Santa Barbara and the Georgia Institute of Technology recently revealed a vulnerability they call Cloak & Dagger that can let miscreants use your phone's own permissions against you. It works like this: You download and run a new app. As so many apps do, it pops up an opening screen that asks you to to agree to something. That something could be almost anything: Click here to watch our tutorial video. Or proceed to the game. It doesn't really matter what the app appears to be asking you to do. What it's really doing is asking your permission for administrative powers that let it use your phone for...whatever it likes.

How does it manage to fool you? Using an Android feature called "Draw over other apps," in which an image or dialog box appears on top of anything else that might be on your device's screen. The "chat heads" used by Facebook Messenger are one example of how this works.

Google routinely grants apps the right to draw over other apps if they request it. They can be highly useful, but a cleverly crafted drawing could be laid on top of an Android warning about granting an app extensive permissions, while making it appear that you're saying OK to something completely different. One example is that it can activate accessibility functions. That allows the nefarious app to see and record your keystrokes, as some accessibility functions need to do in order to function.

This (silent) video shows how it works:

What can you do about it? Unfortunately current versions of Android do not ask for your permission for a newly installed app to draw over other apps. So to find out if you're affected, begin by going into Settings, clicking on apps, and then clicking on settings from the app listing (the gear in the upper right). At the bottom of the list that appears, you'll find "Special access." Click that to see which apps have the right to draw over other apps. You can get detailed information about this vulnerability and how to check your device here.

Google has known about this vulnerability for some time now--the researchers alerted the company months before telling the rest of us. And the company says it is able to detect and block Play Store apps that take advantage of it. So a good place to start would be to avoid downloading Android apps from anywhere other than the Play Store unless you know and trust the source. And hope that Google finds a way to close this security loophole soon.

Published on: May 27, 2017
Like this column? Sign up to subscribe to email alerts and you'll never miss a post.