It’s said that the road to Hell is paved with good intentions. You can do something with the most magnanimous ends, but if you’re not careful, it can all go horribly awry, incredibly quickly.
A security vulnerability in Android’s Accessibility Services — discovered by SkyCure security researcher Yair Amit — is a great example of this. By exploiting a flaw in the tool that allows blind and visually-impaired individuals to use Android devices, an attacker could gain control of the device, in the process acquiring elevated privileges, and seizing access to the files stored on it.
Let’s take a look, and find out how you can stop this from happening.
Understanding the Flaw
The exploit builds upon earlier research by SkyCure, published at this year’s RSA conference. The research explored how, by creating applications that can draw over other ones, and in turn launch the built-in accessibility services (user interface enhancements designed to assist users with disabilities), you can introduce various kinds of malignant behavior, as demonstrated in the video below.
As a proof-of-concept, SkyCure has created a game based upon the popular Rick and Morty television series, which actually launches a malicious accessibility service, all without the user noticing.
In describing the original threat, SkyCure says that it could be used to “give a malicious hacker virtually unlimited permissions to their malware”. One potential application for the attack, SkyCure says, is to deploy ransomware. It could also be used to compose corporate emails and documents via the user’s device, as well persistently monitoring device activity.
This type of attack has a name — clickjacking, or less commonly a “UI redress attack”. OWASP (the Open Web Application Security Project) defines clickjacking as when “an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page”.
Starting in Android Lollipop (5.x), Google added a workaround that, in theory, would have made this kind of attack impossible. The change introduced by Google meant that if a user wanted to activate accessibility services, the OK button could not be covered by an overlay, preventing an attacker from launching them by stealth.
For reference, this is what it looks like when you launch an accessibility service manually. As you can see, Google is very explicit about the Android permissions required. This will deter many users from installing accessibility services in the first place.
How to Defeat Google’s Protections
Yair Amit, however, was able to find a flaw in Google’s approach.
“I was in a hotel when it occurred to me that although the hotel door mostly blocked my view of the hallway outside, there was a peephole that was not blocking the view. This was my epiphany that led me to think that if there were a hole in the overlay, the OK button could be ‘mostly covered’ and still accept a touch in the potentially very small area that was not covered, thereby bypassing the new protection and still hiding the true intent from the user.”
To test this idea out, SkyCure software developer Elisha Eshed modified the Rick and Morty game, which was used in the original exploit proof-of-concept. Eshed created a small hole in the overlay, which was disguised as a game item, but was actually the confirmation button on the accessibility service. When the user clicked the game item, the service was launched, and with it, all the undesirable behavior.
While the original exploit worked against virtually all Android devices running Android KitKat and earlier, this approach increases the number of exploitable devices to include those running Android 5.0 Lollipop. As a consequence, almost all active Android devices are vulnerable to this attack. SkyCure estimates that up to 95.4% of Android devices could be affected.
Mitigating Against It
In line with sensible responsible disclosure procedures, SkyCure first contacted Google before releasing it to the public, so as to give them an opportunity to fix it. Google’s Android Security team have decided not to fix the issue, and accept the risk as a consequence of the current design.
To mitigate against the threat, SkyCure recommend that users run an updated version of a mobile threat defense solution. These proactively defend against threats, much like an IPS (Intrusion Protection System) or IDS (Intrusion Detection System) does. However, they’re overwhelmingly aimed at enterprise users, and are far beyond the means of most home users.
SkyCure recommend home users protect themselves by ensuring they download apps only from trusted sources, such as the Google Play Store. It also recommends that devices run an updated version of Android, although given the fragmented Android ecosystem and carrier-driven updates process, this is easier said than done.
It’s worth noting that Marshmallow — the latest version of Android — requires users to manually and specifically create a system overlay by changing the permissions for that app. While this type of vulnerability could possibly affect devices running Marshmallow, in reality that’s not going to happen, as it’s significantly harder to exploit.
Putting Everything into Context
SkyCure have identified a dangerous and viable way for an attacker to utterly dominate an Android device. While it’s scary, it’s worth reminding yourselves that a lot of cards have to fall in place for an attack based on it to work.
The attacker either has to do one of two things. One tactic would be to deploy their application to the Google Play Store — in turn bypassing their extremely vigorous static analysis and threat detection procedures. This is extremely unlikely. Six years since opening, and millions of applications later, Google has gotten extremely good at identifying malware and bogus software. On that point, so has Apple, although Microsoft still has a long way to go.
Alternatively, the attackers will have to convince a user to set up their phone to accept software from non-official sources, and to install an otherwise unknown application. As this is unlikely to find a large audience, it will require the attackers to either pick a target and ‘spear phish’ them.
While this will inevitably be a nightmare for corporate IT departments, it’ll be less of a problem for ordinary home users, the vast majority of which get their apps from a single, official source — the Google Play Store.
Image Credit: Broken padlock by Ingvar Bjork via Shutterstock