Security researchers at Skycure are upping the ante on a vulnerability that it says now leaves 95.4 percent of Android devices vulnerable to an attack that hands over control of a phone or tablet to an attacker.
First reported at the RSA Conference in March, Skycure discovered a theoretical attack that involves the exploitation of two benign Android features that can be used together take complete control over a victim’s phone. Now researchers say they have figured a way to exploit more versions of the Android OS. Previously Skycure said 66 percent of Android devices were vulnerable to the attack. On Tuesday, Skycure reported the number is 95.4 percent or 1.34 billion devices.
Called an Accessibility Clickjacking Exploit, the attack leverages the Android feature Accessibility Service along with a second feature built into the Android OS that allows you to draw over other apps. The security firm says all versions of the Android OS that have come before 6.x Marshmallow are vulnerable to the clickjacking exploit.
“After presenting this research at RSA, confirmed on all Android versions through KitKat, it occurred to me that there may be a way to also run this on Android devices running Lollipop. My team was then able to test this and verify that Lollipop is also vulnerable to Accessibility Clickjacking,” wrote Yair Amit, CTO and co-founder of Skycure in a blog post.
“There is no reason why an app that utilized both these features would be red flagged by Google or any other mobile security software that wasn’t looking for it,” Amit told Threatpost in an interview. “This is not malware or some other type of Trojan. There is no rooting required. It’s an attack that takes advantage of existing functionality of the Android OS,” he said.
Google acknowledged the vulnerability calling it “an example of nefarious use of genuine tech.” Google added “it will scan for abuse and take action where appropriate.”
To exploit the flaw, an attacker creates a game or application that would run in an overlay window on top of the Android home screen. Underneath the overlay, the same app would launch the Accessibility Service settings. The overlay game or app would trick a user into tapping areas of the overlay screen that would be recognized also on the underlying screen. That way an attacker could trick you into tapping the right sequence of settings to hand over control of your phone to a remote attacker.
This type of clickjacking could allow an attacker to invisibly open and close settings and open malicious webpages that can install malicious software onto the phone or tablet. Skycure says this technique could also allow an attacker to trick users into unknowingly approve the service’s permissions such as Device Administrator access.
“With that type of control an attacker could easily gain Device Admin privileges to remotely lock, wipe, and locate the targeted Android device,” Amit said.
The attack scenario takes advantage of the fact Android OS supports both overlay apps and a feature that allows you to draw on top of apps. The Android drawing feature allows a tap on the top overlay windows to be registered by the bottom window that is obscured.
Skycure said it worked closely with Google to disclose the vulnerability. Amit said that Google has turned off, by default, the overlay feature in the Android 6.x OS. Users who want to take advantage of overlay screens Android 6.x and above have to opt-in to the feature.