Researchers at the Georgia Institute of Technology and the University of California at Santa Barbara have discovered a serious vulnerability affecting all versions of the Android OS (including the latest version of Android 7. 2 Nougat).

The problem is called Cloak and Dagger. With its help, an attacker can steal the information stored on the device, creating a malicious application that asks only two permissions. The application only needs to access BIND ACCESSIBILITY SERVICE ("a11y") and SYSTEM ALERT WINDOW (drawing on top of other windows), and it will be able to record keystrokes and steal passwords and other sensitive data.

Of course, getting the user to give malicious software the requested access is not so easy, but in the arsenal of experienced cybercriminals a lot of clever techniques. Once the victim has given the application the aforementioned permissions, malicious users can surreptitiously download malicious software, steal information and gain control of the device.

According to researchers, the vulnerability allows you to perform all sorts of serious attacks, ranging from stealing passwords and PIN-codes and ending with the inconspicuous installation of applications that work in "God mode," and the victim does not even know about it.

Google has taken appropriate measures to improve the safety of its mobile OS immediately after receiving a message of vulnerability.

"We have updated Google Play Protect (our security service for all Android devices with Google Play) to detect and prevent the installation of similar applications," the company said..

Most likely, a patch for the vulnerability Cloak and Dagger will be released with the release of the following scheduled updates for Android. However, considering the fact that between the release of the update and its receipt by end users a long time passes, the vulnerability poses a serious threat to security.

Details on exploiting the vulnerability are provided in the videos below.