Security on Android is an ever-changing landscape, and the newly found Cloak And Dagger exploit, which can completely hijack a phone without a user's knowledge and relies on Android security flaws that would be extremely difficult to fix, is proof of that. The exploit takes advantage of two rather innocuous permissions that can be embedded in Play Store apps without even having to notify a user of their presence. Once the exploit takes root, it can control a device in a number of unexpected ways, up to and including the installation of a separate, hidden app with full system privileges that can allow an attacker to do just about anything they want.
One permission that's taken advantage of in these potential attacks is the "draw on top" permission, which allows an app to draw an overlay on another app, or put a transparent object that the user can interact with on top of another app. This permission, when exploited, can record a user's activities and keystrokes, for example. Clickjacking to lure the user into enabling accessibility or system administrator settings is also possible. Using the "accessibility service" permission, on the other hand, means that an app can do things like inject a PIN code into a device and perform actions with the screen off, or even fake two-factor authentication. Combining these privileges allows the aforementioned fully privileged app installation, as well as secretly stealing all of a user's data and passwords.
The vulnerabilities were all tested on Android 5.1.1 (Lollipop), 6.0.1 (Marshmallow), and 7.1.2 (Nougat). They all worked, though some parts of the exploit required workarounds in Nougat due to fixes that Google implemented, as well as an update to Gboard meant to fix keystroke phishing. When tested on a group of 20 users, the exploit left them all baffled, and none of them could pinpoint when it had taken root. For the most part, they didn't even know it was in the system until it began to take action or hijacked the device entirely. An issue tracker on Google's website that presents the issues was eventually marked as "won't fix," but details of exactly how it works and why the issue won't be fixed aren't available to the general public. The team that found the exploit is opting to only share full information with security researchers that they feel are qualified.