Researchers at Skycure have reported that a previously discovered security hole in the Android operating system affects even more devices than previously thought. First discovered in march, the exploit was thought to only affect 66% of Android devices. However, the company has now run tests on more recent versions of the Android OS, and are now claiming that 95.4%, or about 1.3 billion devices, are affected.
Known as the Accessibility Clickjacking Exploit, it uses two features of the Android OS in order to trick the user into granting permissions to a malicious app. The first feature used in the exploit is known as Accessibility Service. This feature allows an app to have access the contents of user interface elements and to perform certain actions on behalf of the user. This feature is intended primarily as an aid to the blind and the deaf. However, Google recognized the threat this could pose to users, so if an app tries to gain permissions through the Accessibility Service, a warning is given and the user must give their explicit confirmation.
The second feature that is used in the exploit is the ability of one app to draw on top of another, essentially hiding it from view. The exploit works by running a seemingly harmless activity in the forefront, while the Accessibility Service is running underneath. The user is tricked into granting permissions because the final confirmation button is hidden by the app that is drawn on top of it.
It was initially believed that only Android versions before 5.0 were affected. Starting in 5.0, the confirmation no longer responds to touches if it is covered. One of the researchers at Skycure eventually considered the possibility that the exploit may still work if the confirmation button was only mostly covered, but with a tiny hole that was still touch sensitive. After running the tests and determining the exploit could work, Skycure issued the warning that 5.x versions of Android are vulnerable as well. Beginning in version 6.0, apps cannot draw on top of other apps by default, and must be given explicit permission to do so in the settings. Because of that change, Skycure states that version 6.0 should be far more difficult to exploit.
A hacker could use this exploit for all sorts of malicious purposes. It could be used to monitor a user's email, texts or other communications without their knowledge. It could also be used in ransomware schemes. Skycure co-founder Yamir Amit warns, "There is no reason why an app that utilized both these features would be red flagged by Google or any other mobile security software that wasn’t looking for it. This is not malware or some other type of Trojan. There is no rooting required. It’s an attack that takes advantage of existing functionality of the Android OS." Google has acknowledged the exploit and stated it "will scan for abuse and take action where appropriate."
How should Google deal with this exploit? Is it enough to make newer version of Android secure, or should they take action to protect users of older versions? Leave your comments below.
