Researchers have found that a vulnerability in Android that allows attackers to trick users into granting apps elevated privileges affects more devices than had originally been thought–nearly 96 percent of all Android devices.
The vulnerability is not a typical bug. It relies on some user interaction and lies in the way that Android allows apps to draw over one another. Using that ability, an attacker can overlay an app on top of the Accessibility Services app in Android and trick the user into making a series of clicks that grants the app a broad range of advanced permissions. The attack is a variety of the old clickjacking technique used in desktop browsers, and researchers at Skycure discovered that 95.4 percent of Android devices are vulnerable to a mobile clickjacking technique.
The researchers disclosed the original problem in March during the RSA Conference, but said Tuesday that they’ve now confirmed that it works on devices running Marshmallow, as well as older devices. The target of the attack is the Accessibility Services portion of Android, a feature of the OS that is designed to help users with disabilities interact with a device. Many of those services have very powerful permissions, and can take a variety of actions on behalf of the user.
“Recognizing this potential, starting with Lollipop (5.x), Google added additional protection to the final ‘OK’ button that would grant these accessibility permissions. In other words, Android programmers wanted to make sure that if a user was going to turn on Accessibility Services, the OK button could not be covered by an overlay, and the user would be sure to know what they are allowing,” Yair Amit, CTO of Skycure wrote in a post explaining the issue.
However, Skycure found that by overlaying another app on top of the Accessibility Services screen–a behavior that is part of Android’s design–an attacker could guide a victim through the process of granting the malicious app high privileges by clicking on various parts of the app. Those clicks go through the overlaid app and press the OK button in the Accessibility Services app.
“Accessibility Clickjacking can allow malicious applications to access all text-based sensitive information on an infected Android device, as well as take automated actions via other apps or the operating system, without the victim’s consent. This would include all personal and work emails, SMS messages, data from messaging apps, sensitive data on business applications such as CRM software, marketing automation software and more,” Amit said in the original post on the issue.
Sky cure disclosed the vulnerability to Google, which controls the Android code base, before its initial public discussion of it in March, but the company is not going to fix it.
“Skycure takes pride in abiding by vendor’s responsible disclosure policy. Per that policy, we notified Google of this issue in March 2016. Following our correspondence with the Google Android Security team, they have decided not to fix this issue and accept this risk as a consequence of its current design,” Amit said.