您的当前位置:首页 >百科 >【】TopicsAndroidCybersecurity 正文
时间:2024-11-10 10:55:16 来源:网络整理编辑:百科
Most malware requires some form of active user interaction in order to infect a device -- a click on
Most malware requires some form of active user interaction in order to infect a device -- a click on a link in a phishing email, or the installation of software from an unverified source.。
But a new type of attack, dubbed Cloak and Dagger, can basically take over your Android phone without your (conscious) help. Worse, no major version of Android is safe at this time.。
SEE ALSO:Whoops. Millions of Android phones are wide open to hackers。Described by a team of researchers from the University of California and the Georgia Institute of Technology, Cloak and Dagger relies on the way Android UI handles certain permissions. 。
If an app is downloaded from Google's Play Store, researchers claim, it is automatically granted the SYSTEM_ALERT_WINDOW permission, aka "draw on top." You've likely seen this permission in action -- it's used by Facebook's chat heads, which float over other content on your screen. 。
This can be used to hijack the user's clicks and lure her into giving the app another permission, called BIND_ACCESSIBILITY_SERVICE or a11y, which can be used for stealing your passwords and pins, for example. 。
Thanks for signing up!。
A hacker that combines both these vulnerabilities could silently install a "God-mode" app with all permissions enabled, including access to your messages and calls.。
Even though a lot of this is intended behavior and not an actual exploit, it can definitely be used to take over someone's device. The researchers claim they tested it on 20 human subjects, none of which had realized what was going on. 。
The one thing that protects users right now is the fact that to do all this, the malicious app must be downloaded from Google's official Play Store, meaning that it has to pass Google's security checks. But from past examples we know it's definitely possible for malicious hackers to slip in a malware-infested app into Play Store.。
"It is trivial to get such an app accepted on the Google Play Store." 。
"A quick experiment shows that it is trivial to get such an app accepted on the Google Play Store," the researchers claim. "We submitted an app requiring these two permissions and containing a non-obfuscated functionality to download and execute arbitrary code (attempting to simulate a clearly-malicious behavior): this app got approved after just a few hours (and it is still available on the Google Play Store)," they wrote.。
While Google has partially fixed the issue in the latest version of Android (7.1.2), the researchers claim it's still fully possible to take advantage of the vulnerabilities described above. According to the researchers, these aren't "simple bugs" but "design-related issues," meaning it will take more time to fix them; moreover, Google considers some of these issues as features, and does not currently plan to fix them.。
To protect their devices, the only thing users can do right now is check which apps have access to the "draw on top" and a11y permissions. The steps to do this vary in different versions of Android; they are listed here. 。"We've been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect -- our security services on all Android devices with Google Play -- to detect and prevent the installation of these apps. Prior to this report, we had already built new security protections into Android O that will further strengthen our protection from these issues moving forward," a Google spokesperson told。
Mashable.。
Tourist survives for month in frozen New Zealand wilderness after partner dies2024-11-10 10:40
周最佳:凱恩摧垮曼城奪MVP 羅伊斯造5球僅列替補2024-11-10 10:35
克勞奇 :C羅每次進球後都做Siu慶祝 這有點沒必要2024-11-10 10:33
曝中超超過70%俱樂部存在欠薪事實 且有降薪訴求2024-11-10 10:03
PlayStation Now game streaming is coming to PC2024-11-10 09:32
經紀人 :哪些中國俱樂部欠薪國外都清楚 真的是很丟人2024-11-10 09:19
皇馬與切爾西商談租借阿紮爾 7號球衣留給姆巴佩2024-11-10 09:00
國足最後兩場12強賽怎麽踢 ?目光該看向明年中國亞洲杯了2024-11-10 08:26
Katy Perry talks 'Rise,' her next batch of songs, and how to survive Twitter2024-11-10 08:17
巴頓 :國足最後兩場少挨罵是次要 主要給未來留希望2024-11-10 08:16
Over 82,000 evacuate as Blue Cut fire rapidly spreads in southern California2024-11-10 10:42
驚險!海港外援夫妻開超跑撞樹 事後表態再買一輛(圖)2024-11-10 10:23
拜仁難滿足天價續約訴求 昔日標王將自由轉會離隊2024-11-10 10:19
巴黎體育總監萊昂納多或下課 溫格接任搭檔齊達內 ?2024-11-10 10:07
Olympics official on Rio's green diving pool: 'Chemistry is not an exact science'2024-11-10 09:57
切爾西利好 !芒特詹姆斯恢複訓練 有望出戰利物浦2024-11-10 09:42
國足12強賽最後的目標 :最後兩個客場不能再崩盤2024-11-10 09:40
國足最後兩場12強賽怎麽踢?目光該看向明年中國亞洲杯了2024-11-10 08:53
Two astronauts just installed a new parking spot on the International Space Station2024-11-10 08:37
皇馬施壓姆巴佩!若與巴黎續約 此生將無緣伯納烏2024-11-10 08:31