How Android Accessibility Services Can Be Used To Hack Your Phone
Whatsapp Pinterest

It’s said that the road to Hell is paved with good intentions. You can do something with the most magnanimous ends, but if you’re not careful, it can all go horribly awry, incredibly quickly.

A security vulnerability in Android’s Accessibility Services — discovered by SkyCure security researcher Yair Amit — is a great example of this. By exploiting a flaw in the tool that allows blind and visually-impaired individuals to use Android devices, an attacker could gain control of the device, in the process acquiring elevated privileges, and seizing access to the files stored on it.

Let’s take a look, and find out how you can stop this from happening.

Understanding the Flaw

The exploit builds upon earlier research by SkyCure, published at this year’s RSA conference. The research explored how, by creating applications that can draw over other ones, and in turn launch the built-in accessibility services (user interface enhancements designed to assist users with disabilities), you can introduce various kinds of malignant behavior, as demonstrated in the video below.

As a proof-of-concept, SkyCure has created a game based upon the popular Rick and Morty television series, which actually launches a malicious accessibility service, all without the user noticing.

In describing the original threat, SkyCure says that it could be used to “give a malicious hacker virtually unlimited permissions to their malware”. One potential application for the attack, SkyCure says, is to deploy ransomware. It could also be used to compose corporate emails and documents via the user’s device, as well persistently monitoring device activity.

This type of attack has a name — clickjacking, or less commonly a “UI redress attack”. OWASP (the Open Web Application Security Project) defines clickjacking as when “an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page”.

Starting in Android Lollipop (5.x), Google added a workaround that, in theory, would have made this kind of attack impossible. The change introduced by Google meant that if a user wanted to activate accessibility services, the OK button could not be covered by an overlay, preventing an attacker from launching them by stealth.

For reference, this is what it looks like when you launch an accessibility service manually. As you can see, Google is very explicit about the Android permissions required How Android App Permissions Work and Why You Should Care How Android App Permissions Work and Why You Should Care Android forces apps to declare the permissions they require when they install them. You can protect your privacy, security, and cell phone bill by paying attention to permissions when installing apps – although many users... Read More . This will deter many users from installing accessibility services in the first place.

How to Defeat Google’s Protections

Yair Amit, however, was able to find a flaw in Google’s approach.

“I was in a hotel when it occurred to me that although the hotel door mostly blocked my view of the hallway outside, there was a peephole that was not blocking the view. This was my epiphany that led me to think that if there were a hole in the overlay, the OK button could be ‘mostly covered’ and still accept a touch in the potentially very small area that was not covered, thereby bypassing the new protection and still hiding the true intent from the user.”

To test this idea out, SkyCure software developer Elisha Eshed modified the Rick and Morty game, which was used in the original exploit proof-of-concept. Eshed created a small hole in the overlay, which was disguised as a game item, but was actually the confirmation button on the accessibility service. When the user clicked the game item, the service was launched, and with it, all the undesirable behavior.

While the original exploit worked against virtually all Android devices running Android KitKat It's Official: Nexus 5 And Android 4.4 KitKat Are Here It's Official: Nexus 5 And Android 4.4 KitKat Are Here The Nexus 5 is now on sale in the Google Play Store and it's running the brand new Android 4.4 KitKat, which will also be rolling out to other devices "in the coming weeks." Read More and earlier, this approach increases the number of exploitable devices to include those running Android 5.0 Lollipop Android 5.0 Lollipop: What It Is And When You'll Get It Android 5.0 Lollipop: What It Is And When You'll Get It Android 5.0 Lollipop is here, but only on Nexus devices. What exactly is new about this operating system, and when can you expect it to arrive on your device? Read More . As a consequence, almost all active Android devices are vulnerable to this attack. SkyCure estimates that up to 95.4% of Android devices could be affected.

Mitigating Against It

In line with sensible responsible disclosure procedures Full or Responsible Disclosure: How Security Vulnerabilities Are Disclosed Full or Responsible Disclosure: How Security Vulnerabilities Are Disclosed Security vulnerabilities in popular software packages are discovered all the time, but how are they reported to developers, and how do hackers learn about vulnerabilities that they can exploit? Read More , SkyCure first contacted Google before releasing it to the public, so as to give them an opportunity to fix it. Google’s Android Security team have decided not to fix the issue, and accept the risk as a consequence of the current design.

To mitigate against the threat, SkyCure recommend that users run an updated version of a mobile threat defense solution. These proactively defend against threats, much like an IPS (Intrusion Protection System) or IDS (Intrusion Detection System) does. However, they’re overwhelmingly aimed at enterprise users, and are far beyond the means of most home users.

SkyCure recommend home users protect themselves by ensuring they download apps only from trusted sources Is It Safe to Install Android Apps from Unknown Sources? Is It Safe to Install Android Apps from Unknown Sources? The Google Play Store isn't your only source of apps, but is it safe to search elsewhere? Read More , such as the Google Play Store. It also recommends that devices run an updated version of Android, although given the fragmented Android ecosystem and carrier-driven updates process Why Hasn't My Android Phone Updated Yet? Why Hasn't My Android Phone Updated Yet? The Android update process is long and complicated; let's examine it to find out exactly why your Android phone takes so long to update. Read More , this is easier said than done.


It’s worth noting that Marshmallow — the latest version of Android — requires users to manually and specifically create a system overlay by changing the permissions for that app. While this type of vulnerability could possibly affect devices running Marshmallow, in reality that’s not going to happen, as it’s significantly harder to exploit.

Putting Everything into Context

SkyCure have identified a dangerous and viable way for an attacker to utterly dominate an Android device. While it’s scary, it’s worth reminding yourselves that a lot of cards have to fall in place for an attack based on it to work.

The attacker either has to do one of two things. One tactic would be to deploy their application to the Google Play Store — in turn bypassing their extremely vigorous static analysis and threat detection procedures. This is extremely unlikely. Six years since opening, and millions of applications later, Google has gotten extremely good at identifying malware and bogus software. On that point, so has Apple, although Microsoft still has a long way to go.

Alternatively, the attackers will have to convince a user to set up their phone to accept software from non-official sources, and to install an otherwise unknown application. As this is unlikely to find a large audience, it will require the attackers to either pick a target and ‘spear phish’ them.

While this will inevitably be a nightmare for corporate IT departments, it’ll be less of a problem for ordinary home users, the vast majority of which get their apps from a single, official source — the Google Play Store.

Image Credit: Broken padlock by Ingvar Bjork via Shutterstock

Explore more about: Clickjacking, Google Play, Smartphone Security.

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Lynley McWhorter
    February 24, 2018 at 2:39 am

    Please change your website so that it clears the commentor’s name & email when you upload the comment.

  2. Lynley McWhorter
    February 24, 2018 at 2:37 am

    The hacking of my devices began on my iPhone. I searched for your exact article title because I’m starting a web next week, focusing on safety online, app & software reviews, privacy invaders, etc. My “cyber stalker” used my accessibility settings to lock me out of my iDevices. I wasn’t even aware of these settings before. I didn’t have my iPhone and iPad connected (security wise) when it first started. I never used my iPad, then found “he” locked me out of it. Actually, I caught him in the middle of the night doing work that looked like app development. By 8:00 am, he was using switches, scanning, and all kinds of accessibility voodoo to lock me out. I saw fake Apple websites, all kinds of things before that.

    It started on dec. 18th, I haven’t heard from him in a month now. I have two ideas of who, or where the harassment originated. After that, he would hop on my Linux laptop, then found my android. I’ve cleaned and reloaded all devices twice. Finally gave up.

    Anyway, that’s the very beginning of a horrendous and torturous two months of my life began.

    • Jason Hetrick
      May 12, 2019 at 11:26 pm

      This is all happening to me now. How can I stop it? Please help me.