Page 40 - Cyber Warnings
P. 40
Over 1 Billion Android Devices Vulnerable to Accessibility
Clickjacking
Exploit allows hackers to monitor all user activity, remotely wipe or encrypt
device
by Yair Amit, CTO and Co-founder, Skycure
A Devastating Vulnerability
Recently discovered by Skycure Research Labs, the
Accessibility Clickjacking vulnerability can be
exploited fairly easily with deceptive malware that
gives virtually unlimited visibility and control of the
victim’s device, without alerting the victim to the
intrusion. The implications of such an attack within
an organization could be extraordinary.
Exploits that take advantage of Accessibility Clickjacking can completely evade detection by
malware scanners that rely on signatures or traditional static and dynamic analysis approaches
because the malware uses legitimate functionalities of the operating system – the secret sauce
is in the context of using them together to get unexpected results.
Yet the hacker gains access and control to all textual activity on the device and can grant
themselves administrator rights in order to encrypt the device, change the passcode, and
threaten to wipe the device or sell the data to extract ransom.
Accessibility Clickjacking exploits two otherwise benign features of the Android operating
system. The first, Accessibility Services, were created to provide user interface enhancements
to help visually impaired users interact with their device. Understandably, these services have
access to all textual information, including messages, mail and documents. Additionally, to help
the user control the device, Accessibility Services can interact with and control virtually any
aspect of the device on behalf of the user, including granting administrative control.
This level of control is highly desirable by malicious hackers, but convincing a user to grant it is
usually very difficult. I hypothesized that a strategy called Clickjacking, where a user is tricked
into clicking on something other than what appears on-screen, could be used by hackers to
overcome this obstacle.
By using a second benign feature of Android – the ability to draw over apps – a hacker can
create deceptive malware, such as a fun game, which encourages the victim to tap in certain
locations on the screen while passing those taps through to the Settings screens. This activates
the evil accessibility service for the malware. Once that is accomplished, the malware has full
40 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
