Skycure reveals clickjacking malware that could affect over half a billion Android devices


Proving the old adage that no good deed goes unpunished, mobile security company Skycure revealed a proof of concept malware at the RSA cyber security conference this week that attacks Android devices via a technique called “accessibility clickjacking.” The attack has been shown to work on versions of Android up through KitKat placing over half a billion Android devices at risk.

The Accessibility APIs included in older versions of Android were put in place to help users interact with the operating system and even perform actions on behalf of the users. The primary target for these services are users with some type of disability and allows for things like text-to-speech tools to be used on a system-wide basis. The presence of these tools is certainly a good thing in trying to eliminate barriers to usage, but even the Android developers recognize it is a threat.

For that reason, Android includes some rather lengthy and explicit steps that a user has to go through in order to turn on Accessibility Services. Even with this trouble though, the researchers at Skycure thought this could be used as an attack vector. The question was how to get around the required user interaction needed to turn it on in the first place.

Skycure turned to a technique called “clickjacking.” In a clickjacking scenario, a hacker will use invisible elements in an interface to trick a victim into clicking on an element. However, thanks to the malicious layer, the victim ends up clicking on one thing that they mistakenly believe is something else.

In the proof of concept, the researchers put together a relatively simple game. As players progress through the game, they are clicking on various elements. However, Skycure included an invisible layer by which the user’s inputs are actually fed into the Accessibility permissions approval flow, thereby turning on Accessibility Services unknowingly.

Skycure points out that clickjacking on Android is not theoretical as Symantec just discovered some ransomware that uses the technique just last month.

Once the Accessibility Services have been turned on, hackers can take a wide variety of actions. They can just snoop on all text based interactions taking place, like reading emails, SMS messages, other messaging platforms, or the data being entered in applications. They can also take actions like changing admin permissions or even creating a new device admin. Once that is achieved, devices can be locked, encrypted, or even wiped remotely.

The scary part of this is that these actions can be taken by the bad guys without the victim knowing they are going on or even requiring the victim to take any other actions. The attack also does not require a device to be rooted or other special actions to be performed to be effective.

Besides using an app like Skycure’s offering to help secure a device, the company recommends reviewing Accessibility settings on your device and preferably keeping them turned off. If Accessibility Services are needed, users should review the apps that have permission to access the services.

source: Skycure
via: BGR

About the Author: Jeff Causey

Raised in North Carolina, Jeff Causey is a licensed CPA in North Carolina and possesses the CAPM credential from PMI. Jeff's past Android devices include an HTC EVO, a Samsung Note II, and an LG G3 along with a Samsung Galaxy Tablet 10.1. He currently uses a Motorola Moto X Pure Edition and (very rarely) a Nexus 7 (2013). Jeff used to have a pair of Google Glass and a Moto 360 Sport in his stable of gadgets. Unfortunately, his wife and kids have all drunk the Apple Kool-Aid and have i-devices. Life at home often includes demonstrations of the superiority of his Android based devices. In his free time, Jeff is active in his church, a local MINI Cooper car club, and his daughter's soccer club. Jeff is married, has three kids, and a golden retriever.

  • Daniel Robison

    I have been having trouble with my Accessibility settings suddenly changing out of nowhere and no way to fix them for about a year. Google and Samsung could not figure it out so I’ve had to do 3 Factory resets to fix things the last one being just this morning. This article doesn’t say how to prevent these attacks other than to keep Accessibility turned off which is not practical considering what these settings are mostly being used for which has nothing to do with help people with physical challenges.

  • Louie Cafarella

    Oh great.