Divide Between Work, Personal Data on Android Breached

Researchers demonstrate how malicious apps can break into secure Android work containers on EMM managed phones.

SAN FRANCISCO–Researchers here at the RSA Conference demonstrated Thursday a way a hacker can bypass enterprise mobility management sandboxing tools known as Android for Work that are designed to segregate work and personal data on Android devices.

In a proof-of-concept demonstration, researchers from Skycure showed how two separate malicious apps can circumvent Android’s multiuser framework designed to secure a work profile from a personal profile on a single device. The prerequisite of the attacks hinge on a targeted victim downloading apps in their personal profile that grants attackers heightened privileges over the device’s Accessibility Services and Notification permissions in both work and personal profiles.

The Google feature, commonly known as Android for Work is referred to by Google as “work features in Android.” The EMM managed service allows businesses to secure work-related data and apps on Android devices as well as enforce OS security features such as verified boot.

Victims targeted by what Skycure is calling an app-in-the-middle attack face two different types of threats. In one proof-of-concept attack, researchers created a fictitious app called NotiMirror that offers users the ability to mirror mobile notifications to a desktop.

When NotiMirror is installed, the app requests permission to take control of the device’s mobile notification features and has the ability to send all mobile notifications received by the device, including SMS messages, to a third-party server.

“Since Notifications access is a device-level permission, a malicious app in the personal profile can acquire permission to view and take actions on all notifications, including work notifications, by design. Sensitive information, such as calendar meetings, email messages and other information appears in these notifications, which are also visible to the ‘personal’ malicious app,” according to a Skycure research report written by Yair Amit, co-founder and CTO at Skycure.

In another attack scenario, demonstrated at RSA, an attacker can hijack mobile notifications related to SMS messages tied to a password reset request to gain access to enterprise resources such as Salesforce and Slack.

“This presents a serious threat to the use of Android for Work as a secure sandbox for mobile work productivity, as EMM solutions have no mechanism to recognize or defend against it. The attacker may even capture two-factor authentication and administrators will not have any visibility of the theft,” wrote Amit.

A second attack involves exploiting Android’s Accessibility Service that offers audible narration of on-screen text for visually impaired users. For this proof-of-concept, Skycure created an app called StickiWiki that requests permission to monitor all content on the device’s screen. The premise of the fictitious apps is to allow users to execute a “@Wiki:” shortcut command to insert abbreviated Wikipedia entries into any Android applications such as chat or email.

Despite the fact the app is installed on the user’s personal profile, StickiWiki monitors all content viewed on the Android device. Next, when a user accesses their work profile and views protected content, an adversary can use StickiWiki to harvest all text on the screen and silently send it to a third-party server.

“This app-in-the-middle resides in the personal profile, yet is effective in stealing corporate information as the user interacts with it. The personal profile cannot be monitored or controlled from the work profile, so even if IT administrators try to enforce security on the work profile (e.g., by restricting the profile settings or allowing only whitelisted apps) it won’t be possible to detect any exposure of sensitive information that uses the Accessibility Service, as they cannot access the personal profile,” Amit wrote.

Skycure notes that Accessibility Services only permits some apps, identified via application package names, from accessing its features through a whitelisting function. In order to bypass those whitelisting restrictions Skycure said it gave the malicious app the same package name as the whitelisted legitimate apps.

Skycure said it disclosed its research to Google. In response, Google noted since the app was not distributed via Google Play and required a user to overtly grant excessive permissions to the two apps, it doesn’t view it as a threat to its Android work multi-user framework, Amit said.

“The apps outlined in our research illustrate real-world exposure risks,” Amit told Threatpost. “Apps that utilize the relevant Accessibility and Notification permissions are prevalent in Google Play and other sources – while most are used for good reasons,” he said. “Because of the flaws we outline in our research, they are by design endangering the most sensitive corporate data stored on Android business profiles.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.