Smartphones running Google's Android operating system (OS) are currently vulnerable to a new threat dubbed a "cloak and dagger" attack, which could hijack handsets to steal private data.
It results not from a traditional malware infection but from the combination of two legitimate mobile permissions widely-used in popular applications.
That's according to computer scientists from the Georgia Institute of Technology, who uncovered evidence the bug could be exploited by hackers to silently take control of devices and overlay screens with false information to hide malicious activity underneath – including password theft.
In a release this week (22 May), experts warned the issue will likely be difficult to resolve because it relies on commonly-used Android features which can be misused even when they behave as normal.
"In cloak and dagger, we identified two different Android features that when combined, allow an attacker to read, change or capture the data entered into popular mobile apps," said Wenke Lee, a professor in Georgia Tech's School of Computer Science.
"The two features involved are very useful in mapping, chat or password manager apps, so preventing their misuse will require users to trade convenience for security," he continued, adding: "This is as dangerous an attack as we could possibly describe."
The first permission involved in the attack is called "BIND_ACCESSIBILITY_SERVICE," which helps devices to be used by those with disabilities as it allows inputs to be controlled by voice commands.
The second permission, known as "SYSTEM_ALERT_WINDOW," is a legitimate overlay feature often used in pop-up chat and social media applications.
In a hypothetical attack scenario, the overlay capability show a mirrored version of the application to capture the user's credentials for the hacker, while the accessibility permission would then enter the data into the real app hidden beneath. The end user would have no idea anything was wrong.
The reason for the name was simple: When combined in a malicious way, "SYSTEM_ALERT_WINDOW" is the cloak and "BIND_ACCESSIBILITY_SERVICE" is the dagger.
Successful attacks would likely require the user to also install malware hidden in pirated games or third-party software. This is the same type of flaw recently uncovered by researchers from Check Point, a cybersecurity firm, which impacted "nearly 40%" of Android users.
While Google currently uses a system known as 'Bouncer' to scan applications in an attempt to fend off those containing viruses, some malware still slips through the cracks.
The Georgia Tech scientists tested a simulated cloak and dagger attack on 20 users of Android mobile devices and worryingly found that none of them noticed the hack taking place.
More details of the vulnerability will be presented 24 May at the IEEE Symposium on Security and Privacy in San Jose, California.
"This is a design flaw that some might say allows the app functionality to work as intended, but our research shows that it can be misused," said researcher Yanick Fratantonio. "Once the phone is compromised, there may be no way for the user to understand what has happened."
Android versions up to and including the current 7.1.2 are vulnerable to this attack. Google has confirmed it is aware of the issue but says the bug won't be resolved until the release of 'Android O' in Q3 2017. Nearly 10% of the top 5,000 Android apps currently use overlay features.
"Changing a feature is not like fixing a bug," Fratantonio stressed.
"System designers will now have to think more about how seemingly unrelated features could interact. Features do not operate separately on the device," he added.
How to stay protected
The researchers said there are a number of steps Android users can take to stay protected – even though the vulnerability is able to be exploited in current OS versions. There are two key precautions users should now take, experts Lee and Fratantonio explained.
One is to only download apps from the official Google Play store. A second is to check the permission requests that apps make before they are allowed to operate.
"Users need to be careful about the permissions that new apps request," Lee said, adding: "If there are very broad permissions, or the permissions don't seem to match what the app is promising to do, you need to be sure you really need that app.
"Apps from name-brand sources such as Facebook, Uber and Skype should be okay. But with a random game or free versions of paid apps that you might download, you should be very careful. These features are very powerful and can be abused [...] without you knowing."
See a video of the hack in action below: