Skip to main content
        • Products

          Q-Scout

          Leading edge mobile device security delivering dynamic, actionable intelligence for fleet-wide protection applications

          Q-MAST

          Comprehensive testing for developers who build, use, and manage mobile applications

          Q-Vet

          Mobile app vetting for curated and enterprise managed app stores

        • Solutions by Want

          Mobile Application Security Testing

          Advanced analysis utilizing static, dynamic & interactive analysis of Android and iOS mobile applications

          BYOD

          Secure devices connecting to the enterprise network in the work and live anywhere world

          App Vetting

          Transparent and high-confidence results using pass/fail security evidence

          End Users

          Airtight digital security that empowers you to make informed decisions on what apps you do and do not give access to

          Regulatory Compliance

          Automated compliance testing for the latest privacy and security standards

        • Industries

          Federal Government

          Mobile security solutions for public sector needs across federal, state and local governments

          Finance

          Fintech application security solution for advanced mobile threats

        • Untitled Document

          All Resources

          Blogs

          The latest industry news in cybersecurity’s ever-evolving landscape

          Newsroom

          Press releases, news stories and media highlights from Quokka

          Webinars

          Videos and content where you can learn about the latest threats, trends and issues in cybersecurity

          Whitepapers

          Insights and helpful assets for exploring cybersecurity and digital security

        • Datasheets

          An in-depth description of Quokka solutions

          Technical Papers

          Deep dive into cybersecurity topics and technical papers discovered by Quokka

          Use Cases

          Detailed overview of how Quokka solutions solve real-world pain points

          Guides

          Best practices from our industry experts

          Partners

          Learn more about Quokka’s technology partners

        • Company

          Careers

          There are jobs - and then there is a career at Quokka

          Leadership

          Quokka’s global management team comprised of security experts and industry leaders

  • Support

Unmasking the Deceptive Techniques of Banking Malware: Cloak and Dagger Attacks

Mohamed Elsabagh | March 17, 2023

Mohamed Elsabagh

March 17, 2023

In the current digital world, the shift from traditional banking systems to online transactions and mobile apps has made safeguarding customer financial and personal data from threats an increasingly critical matter. With mobile apps becoming a prime target for attacks, the “cloak and dagger” attack against mobile banking apps (including payment apps) has emerged as a particularly simple yet potent tactic.

This blog aims to increase awareness of the cloak and dagger modus operandi, specifically how it utilizes two seemingly innocuous techniques to exploit users’ trust in banking apps. For end users, app developers, CIOs, CISOs, understanding these tactics could be the key to protect your financial assets and your organization’s reputation.

Understanding Cloak and Dagger Attacks

Cloak and dagger attacks can take various forms, but they all share two key steps: 1) drawing on top of other apps (i.e., the cloak) and using accessibility services to control the device (i.e., the dagger). These attacks primarily target legitimate banking apps and employ these techniques to trick the end user into performing an action, divulging sensitive information. or inadvertently initiating transactions without the user’s consent or knowledge.

The Cloak: Drawing on top of other apps

Drawing on top of other apps allows the attacker to spoof benign apps by altering the graphical user interface (GUI) that the user sees. For example, when a banking app has a button to confirm a transaction, but the button is vulnerable to “tapjacking,” malware could spoof transactions by layering images on top of the banking app and around the button. This approach effectively conceals what the transaction is actually for and deceives the user into clicking without questioning the authenticity of the process.

The Dagger: Exploiting Accessibility Services

Drawing on top of other apps can be very difficult to detect by the end user. For persistence and control, baking malware uses the cloak tactic to trick the user into granting the malware access to the device accessibility services. This tactic is so potent. It does not require root, and the malware could further hide its presence by cloaking the device settings GUI. By abusing accessibility services, the malware can mimic user interactions with the device, intercept notifications, read screen content, record keystrokes, and even attain authorization to perform tasks that the user would otherwise deny.

Combined together, these two tactics let the cybercriminal mutually impersonate both the user and the app, making it easier to acquire sensitive data, bypass security measures, and perform fraudulent transactions.

Tackling the Cloak and Dagger Menace

The proliferation of mobile banking apps has expanded the attack surface for financial institutions, and cloak and dagger attacks represent a rising threat in this landscape. As the world embraces the convenience of digital payment methods and online banking, it becomes paramount for organizations to take proactive steps in securing their platforms for end users. This involves investing in comprehensive security, regular audits, and engaging with security experts for ongoing protection against the ever-evolving threats.

What Developers Shall Do:

  • Understand the attack surface of your app.
  • Follow secure coding practices.
  • Harden your app by layering multiple barriers, including TLS pinning, tamper detection, device integrity checks, multi-factor authentication.
  • Routinely scan your app for security weaknesses using rigorous, state-of-the-art, scanners.
  • Filter touch events when the app window or any part of it is obscured by another app. (Reference 1 & 2)
  • Block screen recording of sensitive views. (Reference)
  • Block accessibility access to sensitive views if an unrecognized accessibility service is present on the phone. (Reference 1, 2, & 3)
  • Use Q-Scout and/or Q-Vet to manage and vet apps within your fleet

Raising public awareness about these tactics is also essential for ensuring users are cautious when using banking apps or doling out their personal information.

What Users Should Do:

  • Keep your phone up to date. Google has been introducing access restrictions to accessibility services to help reduce the attack surface. (Reference)
  • Only use reputable accessibility tools from trusted developers. (The following cover most needs 1, 2, 3, & 4)
  • Only install apps from the official app store. Do not side-load apps or install apps from unknown sources.
  • Avoid overly permissive apps from untrusted developers, particularly ones that require full control of one or more device functionality.
  • Be extra careful of apps requesting accessibility permissions. Only grant accessibility access to trusted apps, and only if there is a need to.
  • Download Q-Scout to help warn you about apps holding sensitive permissions.

Leave a Reply

Close Menu