Page 42 - Cyber Warnings
P. 42
Android developers have taken a stronger defensive position with the Marshmallow (6.x)
operating system by requiring users to manually enable the ability to draw over other apps.
So, while there may still be some creative way to trick a user into doing this, I am not aware of it
and Marshmallow remains safe from this exploit for today.
The Impact of Accessibility Clickjacking
Accessibility Clickjacking can allow malicious applications to access all text-based sensitive
information on an infected Android device, as well as take automated actions via other apps or
the operating system, without the victim’s consent.
This includes all personal and work emails, SMS messages, data from messaging apps,
sensitive data on business applications such as CRM software, marketing automation software
and more. Even sandboxed apps and secure email apps are susceptible to Accessibility
Clickjacking because everything the user has access to is exposed.
Once an “evil” Accessibility Service has been enabled on the device, hackers can even change
admin permissions. Not only that, the hacker can take actions without having the victim click on
anything or be aware of it happening. For example, the malware can enable the hacker to
create a new Device Admin.
This can have extreme implications including allowing the hacker to encrypt the device’s
storage, change or disable its passcode or even wipe the device remotely. This makes
Accessibility Clickjacking a very effective ransomware tool.
Remediation
Enterprises identify security as the number one issue preventing the adoption of mobile devices.
Traditional solutions like MDM and EMM, while great for mobile management, simply are not
designed to provide the visibility necessary to identify and protect from most malware, network-
based attacks or vulnerability exploits launched by malicious hackers.
Organizations looking to defend their mobile ecosystems from such threats should follow advice
from the major EMM vendors, which all recommend adding a Mobile Threat Defense solution
that is specifically designed for this purpose.
The SANS Institute identifies four essential threat vectors to protect against – physical, network,
malware, app/OS vulnerabilities – and recommends that solutions should have deep analysis
capabilities that leverage crowd-sourced intelligence.
Additionally, users can adopt behaviors that decrease the risk of exposure to malware.
Following is a list of user behavior recommendations to better protect end users from mobile
threats:
42 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
