Most Android Devices vulnerable to Accessibility Clickjacking Attacks

By | May 18, 2016

Android Security

Security researchers from Skycure disclosed a critical vulnerability clickjacking attack in Android’s Accessibility feature. According to them more than 500 Million devices are vulnerable to this security flaw.

The accessibility features offered by the Android operating system is useful for people with impaired vision, hearing or motor skills. However, the Accessibility Service has also been abused by cybercriminals to steal sensitive information and install applications on devices.

What is Clickjacking

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embeddedcode or a script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function.

Demonstration of the Attack Flow

  • The victim plays a naive “Rick and Morty” themed rat-hitting game, which looks benign (yes, we can certainly improve on the graphics side – if we had time and resources to focus on non-customer-centric problems). What actually happens in the background might come as a surprise to the victim – his/her clicks are actually propagated to an underlying and invisible layer of the operating system – the Accessibility approval dialog. Completing the game means that the victim unknowingly approved Accessibility permissions for the “benign game”!
  • The victim then continues using his/her Android device and composes an email to his/her CEO via the Gmail app. Every action from now on is recorded by the “Rick and Morty” game.

List of Android Versions Affected by Accessibility Clickjacking

List

Graph

                                                                  Source: Android.com

Remediation

  1. Update the operating system to the latest as soon as an update becomes available
  2. Do not click on any dialogue boxes popping up on your phone unless and until you are sure about the action that caused them to appear
  3. Do not install applications from third-party app stores if you do not trust them (while in many cases this is not a realistic option, try to switch off the setting that allows third-party app installation)
    (a) Step 1 – Open “Settings” app.
    (b) Step 2 – Navigate to “Security” settings
    (c) Step 3 – Uncheck “Unknown sources”

Subscribe for latest security updates