The 2017 Pwnie Nominee For Most Over-Hyped Bug

Cloak and Dagger

Credit: Yanick Fratantonio, Chenxiong Qian, Simon Chung, Wenke Lee

An app with no explicit permissions could use the “draw on top” permission which allows clickjacking, keystroke recording, installation of other apps.

It had a domain name “”, which was a website that included videos, lots of text, and a long list of examples of press coverage. The research itself wasn’t entirely new, It wasn’t the first examples to use draw on top or a11y for attacks. However It still managed to get covered in main stream media like Newsweek and the International Business Times as well as other outlets, as pointed out on their page, like Blasting News and HotForSecurity.

Its kind of a cool attack but does require the app to be installed and the attack itself is so hard to describe that they did a usability study to see if it actually worked against people. For the record, if your exploit gets you a shell, you don’t need usability studies.

Cloak and Dagger(CVE: none)