Pinterest Stumbleupon Whatsapp
Ads by Google

It’s said that the road to Hell is paved with good intentions. You can do something with the most magnanimous ends, but if you’re not careful, it can all go horribly awry, incredibly quickly.

A security vulnerability in Android’s Accessibility Services — discovered by SkyCure security researcher Yair Amit — is a great example of this. By exploiting a flaw in the tool that allows blind and visually-impaired individuals to use Android devices, an attacker could gain control of the device, in the process acquiring elevated privileges, and seizing access to the files stored on it.

Let’s take a look, and find out how you can stop this from happening.

Understanding the Flaw

The exploit builds upon earlier research by SkyCure, published at this year’s RSA conference. The research explored how, by creating applications that can draw over other ones, and in turn launch the built-in accessibility services (user interface enhancements designed to assist users with disabilities), you can introduce various kinds of malignant behavior, as demonstrated in the video below.

As a proof-of-concept, SkyCure has created a game based upon the popular Rick and Morty television series, which actually launches a malicious accessibility service, all without the user noticing.

Ads by Google

In describing the original threat, SkyCure says that it could be used to “give a malicious hacker virtually unlimited permissions to their malware”. One potential application for the attack, SkyCure says, is to deploy ransomware. It could also be used to compose corporate emails and documents via the user’s device, as well persistently monitoring device activity.

This type of attack has a name — clickjacking, or less commonly a “UI redress attack”. OWASP (the Open Web Application Security Project) defines clickjacking as when “an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page”.

Starting in Android Lollipop (5.x), Google added a workaround that, in theory, would have made this kind of attack impossible. The change introduced by Google meant that if a user wanted to activate accessibility services, the OK button could not be covered by an overlay, preventing an attacker from launching them by stealth.

For reference, this is what it looks like when you launch an accessibility service manually. As you can see, Google is very explicit about the Android permissions required How App Permissions Work & Why You Should Care [Android] How App Permissions Work & Why You Should Care [Android] Android forces apps to declare the permissions they require when they install them. You can protect your privacy, security, and cell phone bill by paying attention to permissions when installing apps – although many users... Read More . This will deter many users from installing accessibility services in the first place.

How to Defeat Google’s Protections

Yair Amit, however, was able to find a flaw in Google’s approach.

“I was in a hotel when it occurred to me that although the hotel door mostly blocked my view of the hallway outside, there was a peephole that was not blocking the view. This was my epiphany that led me to think that if there were a hole in the overlay, the OK button could be ‘mostly covered’ and still accept a touch in the potentially very small area that was not covered, thereby bypassing the new protection and still hiding the true intent from the user.”

To test this idea out, SkyCure software developer Elisha Eshed modified the Rick and Morty game, which was used in the original exploit proof-of-concept. Eshed created a small hole in the overlay, which was disguised as a game item, but was actually the confirmation button on the accessibility service. When the user clicked the game item, the service was launched, and with it, all the undesirable behavior.

While the original exploit worked against virtually all Android devices running Android KitKat It's Official: Nexus 5 And Android 4.4 KitKat Are Here It's Official: Nexus 5 And Android 4.4 KitKat Are Here The Nexus 5 is now on sale in the Google Play Store and it's running the brand new Android 4.4 KitKat, which will also be rolling out to other devices "in the coming weeks." Read More and earlier, this approach increases the number of exploitable devices to include those running Android 5.0 Lollipop Android 5.0 Lollipop: What It Is And When You'll Get It Android 5.0 Lollipop: What It Is And When You'll Get It Android 5.0 Lollipop is here, but only on Nexus devices. What exactly is new about this operating system, and when can you expect it to arrive on your device? Read More . As a consequence, almost all active Android devices are vulnerable to this attack. SkyCure estimates that up to 95.4% of Android devices could be affected.

Mitigating Against It

In line with sensible responsible disclosure procedures Full or Responsible Disclosure: How Security Vulnerabilities Are Disclosed Full or Responsible Disclosure: How Security Vulnerabilities Are Disclosed Security vulnerabilities in popular software packages are discovered all the time, but how are they reported to developers, and how do hackers learn about vulnerabilities that they can exploit? Read More , SkyCure first contacted Google before releasing it to the public, so as to give them an opportunity to fix it. Google’s Android Security team have decided not to fix the issue, and accept the risk as a consequence of the current design.

To mitigate against the threat, SkyCure recommend that users run an updated version of a mobile threat defense solution. These proactively defend against threats, much like an IPS (Intrusion Protection System) or IDS (Intrusion Detection System) does. However, they’re overwhelmingly aimed at enterprise users, and are far beyond the means of most home users.

SkyCure recommend home users protect themselves by ensuring they download apps only from trusted sources Is It Safe to Install Android Apps from Unknown Sources? Is It Safe to Install Android Apps from Unknown Sources? The Google Play Store isn't your only source of apps, but is it safe to search elsewhere? Read More , such as the Google Play Store. It also recommends that devices run an updated version of Android, although given the fragmented Android ecosystem and carrier-driven updates process Why Hasn't My Android Phone Updated Yet? Why Hasn't My Android Phone Updated Yet? The Android update process is long and complicated; let's examine it to find out exactly why your Android phone takes so long to update. Read More , this is easier said than done.

AndroidUnknownSources-Unknown-Sources-Warning

It’s worth noting that Marshmallow — the latest version of Android — requires users to manually and specifically create a system overlay by changing the permissions for that app. While this type of vulnerability could possibly affect devices running Marshmallow, in reality that’s not going to happen, as it’s significantly harder to exploit.

Putting Everything into Context

SkyCure have identified a dangerous and viable way for an attacker to utterly dominate an Android device. While it’s scary, it’s worth reminding yourselves that a lot of cards have to fall in place for an attack based on it to work.

The attacker either has to do one of two things. One tactic would be to deploy their application to the Google Play Store — in turn bypassing their extremely vigorous static analysis and threat detection procedures. This is extremely unlikely. Six years since opening, and millions of applications later, Google has gotten extremely good at identifying malware and bogus software. On that point, so has Apple, although Microsoft still has a long way to go.

Alternatively, the attackers will have to convince a user to set up their phone to accept software from non-official sources, and to install an otherwise unknown application. As this is unlikely to find a large audience, it will require the attackers to either pick a target and ‘spear phish’ them.

While this will inevitably be a nightmare for corporate IT departments, it’ll be less of a problem for ordinary home users, the vast majority of which get their apps from a single, official source — the Google Play Store.

Image Credit: Broken padlock by Ingvar Bjork via Shutterstock

  1. Mike
    November 24, 2016 at 12:07 pm

    Do you need any of this hacking services?

    Remove A Link

    • Mugshot Picture Removed

    • Blog Link Removed

    • Google Link Removed

    YouTube videos removed

    Locate Missing People

    Find and reconnect with family, old friends, relatives just about anyone! People Search reports include phone numbers, address history, ages, birthdates, household members and more.

    Background Checks

    • Background reports include, when available, a criminal check, lawsuits, judgments, liens, bankruptcies, property ownership, address history, phone numbers, relatives & associates, neighbors, marriage/divorce records and more.

    • We also can get access to a persons Twitter and Facebook account so you can find out who a person really about outside of the office.

    Nationwide Employment Background Check includes

    • SSN Trace

    • Address History

    • 7-Year National Criminal Database Search

    • Courthouse Verification of Criminal Database Records (up to 3)

    • National Sex Offender Registry Check

    Online Dating Scams

    Have you been scammed because all you were looking for was love? We can help you in 2 ways.

    1. Verify the person's identity before meeting the person and moving to the next step.

    2. If you have been scammed online and would like to track the person's location so you can proceed with some type of action. you should contact me at darkwebguru at gmail dot com
    3013584208

Leave a Reply

Your email address will not be published. Required fields are marked *