USUALLY VULNERABILITIES IN software are accidents or mistakes—flaws that shouldn’t be there. But they can also stem from unintended consequences of features working the way they’re supposed to. Those problems prove difficult to resolve, especially if the potentially impacted feature has an important, legitimate use. That’s what happened with Cloak & Dagger, an attack that manipulates attributes of the operating system’s visual design and user interface to hide malicious activity.

Researchers at the Georgia Institute of Technology and University of California, Santa Barbara first detailed the vulnerabilities in May, and have worked with Google since to address them. But while Google has addressed many of the bugs in its upcoming Android O release, the methods persist on current versions of Android, potentially exposing virtually all Android users to an insidious attack.

“User interface bugs are out there and they can be exploited and it’s quite easy to implement them,” says Yanick Fratantonio, a mobile security researcher who works on the project and helped present the latest Cloak & Dagger updates at the Black Hat security conference Thursday. “The attacks are a very big deal, but they’re difficult to fix. You can’t just change [the vulnerable features] because you have backward compatibility problems.”

In addition to the protections baked into Android O, a Google spokesperson said in a statement that, “We’ve been in close touch with the researchers and, as always, we appreciate their efforts to help keep our users safer. We have updated Google Play Protect—our security services on all Android devices with Google Play—to detect and prevent the installation of these apps.”

The main Cloak & Dagger attacks affect all recent versions of Android, up to the current 7.1.2. They take advantage of two Android permissions: one, known as SYSTEM_ALERT_WINDOW,which allows apps to display overlay screens for things like notifications, and one called BIND_ACCESSIBILITY_SERVICE, a permission for accessibility services that allows tracking and querying of visual elements displayed on the phone. These permissions can be abused individually, or in tandem.

When you download apps from Google Play that request the System Alert overlay permission, Android grants it automatically, no user approval required. That means malicious apps that ask for that permission can hide ill-intentioned activity behind innocuous-looking screens. For example, the app can request a permission that the user must approve, but cover that request notification with another screen that asks for something innocent, leaving a hole in the cover screen for the real “Accept” button. This type of bait and switch is a version of an attack known as “click-jacking.”

In the case of Cloak & Dagger, the permission the researchers tricked test subjects into accepting is called the Bind Accessibility Service. When users grant this permission, apps gain the ability to track objects across the screen, interact with them, and even manipulate them. Normally, these capabilities are reserved for services that address disabilities like physical and visual impairments. In the hands of a malicious app, they can prove devastating.

Once the attacker has user approval for the accessibility permission, the attacker can abuse it for types of keystroke logging, phishing, and even stealthy installation of other malicious apps for deeper access to the victim system. The accessibility permission also makes it possible for a hacker to simulate user behavior, a powerful capability.

“We let ‘other apps’ or ‘a fake user’ do the bad things for us,” Fratantonio says. “In other words, instead of hacking, for example, the Settings app, we just simulate a user that is clicking around and ‘ask’ the Settings app to do things for us like enable all the permissions.”

The researchers have developed many variations of these attacks, and have found that they can even take over systems with only the first system-alert permission, by manipulating overlays to trigger the download of a second app that can work with the first to infiltrate the system. The variation in approach, and the distributed nature of the attacks, makes them difficult to consistently detect.

Because of Google’s remediation efforts, some versions of the attacks don’t work in all versions of Android anymore, but there are so many variations that there would still be plenty of options for an attacker. And Android’s fragmented version adoption means that for most users, the patchwork of remaining vulnerabilities will likely persist for a long time yet.