Most of us aren't stupid enough to click on a window that hands over control of our phones to a stranger. And most of us definitely wouldn't do it if our phones kicked up numerous warnings in the process. But researchers at Skycure have demonstrated that they can take control of an Android phone without the victim being any the wiser. At the RSA Conference here, Skycure researchers will share their research with the gathered attendees. PCMag received a private briefing on the research from Skycure CTO Yair Amit prior to the public announcement—after Skycure took control of my iPhone during a phone call to prove a point.
The attack uses the Android accessibility framework, which is designed to help users get the most out of their phones, even if they are visually impaired or have difficulty typing, for example. But under malicious control, Amit explained, the accessibility framework can be used to monitor user activity and take actions without users' knowledge. Normally, activating the accessibility tools requires diving through a series of menus and confirming your choice on several screens. These are powerful tools, and you are warned repeatedly by the operating system that granting access to the framework can expose your personal data. But Skycure is able to circumvent these warnings using a technique called clickjacking.
"The beauty of it is that it doesn't require rooting, but we still see everything the victim is doing and take actions," Amit told PCMag. The Bulk of Android at Risk
Google made changes to Android's accessibility framework in version 5.0 of Android, which prevents specific buttons from being hijacked in this manner. Version 6.0 appears to be immune as well.But because of the fractured nature of Android, Google reports that only a combined 35 percent of Android users that visit the Google Play store are using either of these versions. Using those numbers, Skycure estimates that about 66 percent of Android phones could be susceptible to this attack. The phone we saw that attack demonstrated on ran Android 4.4 Kitkat.
Thankfully, it's easy to check if an attacker is taking advantage of this vulnerability. Simply open your accessibility settings and make sure that you recognize and approve of every service on the list. You can do the same for Device Admin. As always, the best way to avoid malware is to stick with the Google Play store. While not infallible, the Play store is an excellent first line of defense against malware. However, when asked if his demonstration app would be accepted to the Play store, Amit said it was entirely possible since it only asked for a single permission: to draw over apps. Amit pointed out that trusted apps like Facebook also use this permission.
The app Skycure used in its demonstration isn't available for download, but Amit pointed out it's more than just a proof of concept. He said that Symantec had previously detected clickjacking malware calledAndroid.Lockdroid.E that used the technique obtained admin access on Android devices. Given all that, Amit sees a future in this kind of attack. "We expect to see more attacks like this in the wild in the very near future," he said.
This article originally appeared on PCMag.com.
Once the malicious app can use the accessibility tools, it can see every keystroke the user enters in any app. In the demonstration PCMag saw, an email typed in the Gmail app was painstakingly captured by the malicious app. But this app can do more. Using the accessibility framework, the app is then able to get Device Administrator access on the device. This is a special, privileged level of access usually reserved for trusted security apps or Google. The Android Device Manager, for example, uses Device Admin privileges to remotely lock, wipe, and locate lost Android devices.In the demo we saw, the malicious app simply flashed an image on the screen—again, taken from Rick and Morty. There was no flicker, or any indication that something was amiss, but in the background the app had granted itself Device Admin. Once it has this level of access, the malicious app and its author now have a lot of control over a victim's device.