As Android scales a new peak of success, after grabbing more of the Smartphone OS market share than ever before, one of its old foe has reared its ugly head again, this time in the guise of Accessibility Clickjacking. Malware and viruses have always been something that Android has had to contest with through the ages. In fact, if one could point out any major weakness to the Android platform, security would undoubtedly top the list.
This has led to various Anti-Virus companies jumping to Android and selling their wares as a means to keep the devices protected. Interestingly enough, this latest vulnerability comes from the labs of one such software vendor, SkyCure. The co-founders Adi Sharabani and Yair Amit announced this new vulnerability at the RSA conference in San Francisco and according to them a huge chunk of older Android devices, around 500 million to be precise, are affected. Now while it lies in their vested interests to strike fear into the hearts of smartphone consumers, today we attempt to find out, if Accessibility Clickjacking is really as bad as people are making it out to be.
Accessibility Clickjacking: The Procedure
The video above is a demo of the accessibility clickjacking as a PoC (Proof of Concept). The general premise of this attack is to fool the user into giving accessibility rights to a malware programme by clicking on invisible dialogue boxes. While we will not delve deeper into the code used to enable such practices, but we do need to understand a bit more about Android and it’s accessibility settings to figure out why the malware had to go to such lengths to make the user turn on the accessibility settings.
Accessibility settings have been present in Android since version 2.2 but has been significantly buffed following the 4.0 Ice Cream Sandwich update. This vulnerability uses the Accessibility settings to basically take over the device and once it has received admin permission, the malware has full control of the device including running a keylogger to make a copy of all the input, encrypt the device storage and even remotely wipe the device should the situation arise so. However, later versions of Android including anything above 5.0 Lollipop are safe as they do not allow other apps to draw over critical system popups, thereby negating the technique of this malware. So who are at risk?
Accessibility Clickjacking: The Reach
The latest data from Android.com suggests that only 34.1% of Android devices run on Lollipop and a meager 1.2% on the latest release of Marshmallow. Added together they form a tiny 35.3% of the total Android device base, and the remaining 64.7% are in danger of succumbing to this new malware.
To put those percentages into numbers, almost 500 million devices are at risk of being clickjacked. At an even broader perspective, it boils down to nearly 1 in every 2 smartphones falling prey to the malware. But in the midst of all this, we have overlooked one tiny detail, and as someone has rightly pointed out, the devil is always in the detail.
Google has always known that Accessibility settings are something that could be exploited to gain control of an Android device. In fact, the only reason accessibility settings still exists is because it helps many people with special needs to use their smartphones effortlessly. However, this video has shown that any app, like a benign Rick n Morty game as demonstrated above, could be used to take advantage of these settings by using the clickjacking technique.
Google is well aware of the Android fragmentation problem. It knows that older devices of the Android platform are at risk from new bugs and malware as they’re being created. And thus, they have another layer of security, invisible to most Android users, Google Play services. As long as the user doesn’t allow installation of apps from unknown sources, they are safe as the Play Store has filters in place which go through an app’s code searching for malicious intent before letting it become downloadable for all and sundry. This is why at the end of the day, despite how big the malware might have been, in reality, it would only affect a very small slice of devices who allow the apps from unknown sources to be installed on the devices.
Finding bugs and exploits in code is pretty easy. In fact, even arguably the most secure among consumer versions of desktop and mobile OS have plenty of bugs. The most important step lies in what is done to stop those bugs from becoming vulnerabilities. While the StageFright bug in Android released a lot of furor, ultimately no major exploit came out of it as it was difficult to implement into a working vulnerability. Similarly, although Accessibility Clickjacking sounds pretty scary, the only reason that it was developed in a lab of Anti-Virus researchers and not in a cracker’s mind is because of its limited reach in real life scenarios.
Despite all of this, one cannot undermine the depth of the real problem. And the problem here lies not in the fact that Accessibility settings in Android could be hacked, but the fact that this loophole was patched in later versions of Android, and yet that patch never made it’s way through to most of the users. While there is no one single solution to the Android fragmentation problem, here are a few factors that OEMs and Google could keep in mind to prevent such malware from being effective in the future:
- With a majority of Android users in the dark about potential security hazards for their devices, we see that 32% of people do not perform the updates that are pushed to their devices. This needs to change and Google and OEMs should join hands in a combined effort to raise awareness of security issues prevalent in Android.
- After the Stagefright fiasco, Google decided to roll out monthly security patches to their nexus lineup of phones. Several OEMs like Samsung and HTC followed tow but only for their top tier devices. However, we see that the global ASP of smartphones are falling and people are moving more towards affordable and powerful mid-range devices. Companies should recognise the trend and make these security patches available through their entire product lineup.
- Even though Android has a very open nature, one of the many reasons that we get to see a myriad of devices from a myriad of manufacturers, Google in future may be forced to tighten its grip on the ecosystem if the OEMs continue to be lax about such pressing security concerns.
“While a variety of capabilities have been implemented in web browsers and web servers in order to mitigate the risk of clickjacking, mobile still remains vulnerable and it turns out that Android is susceptible to a similar kind of a threat,” says Yair Amit, CTO and co-founder at Skycure.
And while this particular vulnerability might not be able to rock the boat of Android, Google must look to brace itself in the preparation of turbulent waters ahead as other hackers will look to use the clickjacking technique on older, unprotected Android devices.