Proving the old adage that no good deed goes unpunished, mobile security company Skycure revealed a proof of concept malware at the RSA cyber security conference this week that attacks Android devices via a technique called “accessibility clickjacking.” The attack has been shown to work on versions of Android up through KitKat placing over half a billion Android devices at risk.
The Accessibility APIs included in older versions of Android were put in place to help users interact with the operating system and even perform actions on behalf of the users. The primary target for these services are users with some type of disability and allows for things like text-to-speech tools to be used on a system-wide basis. The presence of these tools is certainly a good thing in trying to eliminate barriers to usage, but even the Android developers recognize it is a threat.
For that reason, Android includes some rather lengthy and explicit steps that a user has to go through in order to turn on Accessibility Services. Even with this trouble though, the researchers at Skycure thought this could be used as an attack vector. The question was how to get around the required user interaction needed to turn it on in the first place.
Skycure turned to a technique called “clickjacking.” In a clickjacking scenario, a hacker will use invisible elements in an interface to trick a victim into clicking on an element. However, thanks to the malicious layer, the victim ends up clicking on one thing that they mistakenly believe is something else.
In the proof of concept, the researchers put together a relatively simple game. As players progress through the game, they are clicking on various elements. However, Skycure included an invisible layer by which the user’s inputs are actually fed into the Accessibility permissions approval flow, thereby turning on Accessibility Services unknowingly.
Skycure points out that clickjacking on Android is not theoretical as Symantec just discovered some ransomware that uses the technique just last month.
Once the Accessibility Services have been turned on, hackers can take a wide variety of actions. They can just snoop on all text based interactions taking place, like reading emails, SMS messages, other messaging platforms, or the data being entered in applications. They can also take actions like changing admin permissions or even creating a new device admin. Once that is achieved, devices can be locked, encrypted, or even wiped remotely.
The scary part of this is that these actions can be taken by the bad guys without the victim knowing they are going on or even requiring the victim to take any other actions. The attack also does not require a device to be rooted or other special actions to be performed to be effective.
Besides using an app like Skycure’s offering to help secure a device, the company recommends reviewing Accessibility settings on your device and preferably keeping them turned off. If Accessibility Services are needed, users should review the apps that have permission to access the services.