Cloak and Dagger — Mobile Malware Techniques Demystified

No, not like that

How it works

The cloak and dagger attack takes advantage of two Android permissions:


The Cloak

SYSTEM_ALERT_WINDOW is used to draw over other Android apps. If an app installed from the Play Store requests this permission in its AndroidManifest.xml file, it will automatically be granted by the system. This forms the first building block of the cloak part of the exploit. Many apps use this permission for legitimate purposes, like Google Maps.

Google Maps uses SYSTEM_ALERT_WINDOW to display directions when its in the background
A malicious View.OnTouchListener that checks for taps outside of the overlays
The cloak portion of the attack. The entire screen is covered except the areas that trick the victim into enabling the accessibility service.

The Dagger

Once the victim has enabled our accessibility service, we have de-facto control over the device. Android sends the service’s onAccessibilityEvent method information after most user activity, including keystrokes, lock screen key presses, URLs and much more.

The dagger capturing a user’s lock screen PIN


A proof of concept is on Github. You’ll have to manually enable the “Draw Over Other Apps” permission since you’ll be sideloading this app. The attack has been tested on the following devices:

  • Nexus 5X Nougat
  • Nexus 5X Marshmallow
  • Nexus 4 Lollipop

Level Up Your Hacking Skills

TargetPractice has vulnerable servers that you can hack to your heart’s content. Test real tools and exploits that work on live targets without going to prison. It’s not a crime if it’s TargetPractice.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonathan Cooper

Jonathan Cooper


I’m a cybersecurity consultant who develops software. I help agile teams deliver secure digital experiences to their customers.