Almost all Android users vulnerable to Accessibility Clickjacking attacks

Symantec researchers recently posited that Android banking malware with screen overlay capabilities might soon start tricking users into turning on Android’s Accessibility Service, so that it can know which apps are in use and be able to show the appropriate fake login screens.

Their previous trick for knowing the right time to show specific screens was to collect information from the getRunningTasks() API, but with Android 5.0 (Lollipop) that door has been closed to malware developers.

Accessibility Services are meant to help users with disabilities (physical, visual, or age-related) use their device, and therefore have full access to the contents of the interfaces that a user interacts with (for example, the contents of emails when the user uses an email app).

But getting users to turn on Android’s Accessibility Service is often difficult to do.

Some malware/adware creators have resorted to asking users to turn on the accessibility service outright while lying to them about what the service does. Others forgo the lying part altogether, and trust the users will ignore warnings because they really want to use a specific app.

Skycure researchers believe that a clickjacking approach could also soon become a popular choice.

Earlier this year, they demonstrated how malware peddlers can trick users into unknowingly turn on Android’s Accessibility Service by taking advantage of Android being able to give apps the permission to draw over other apps.

They created PoC malware that presents itself as a game, designed in such a way that by playing it, i.e. clicking at specific places on the screen, the user unknowingly goes through the process of turning on Android’s accessibility service. The fake game essentially hijacks the users’ clicks (as demonstrated in this video):

Once Accessibility has been enabled on the device, the hackers can even change admin permissions (again, without the user noticing – it has been done before), and that can bring a whole new host of problems for the user.

The researchers believed that this type of “Accessibility Clickjacking” attack could only be performed on Android 4.4 (KitKat) and earlier versions, as starting with version 5.0 (Lollipop), Google added additional protection to prevent the final “OK” button in the process of turning on Android’s accessibility service to be covered by an overlay.

But, as the researchers later discovered, the protection is not fool-proof.

“I was in a hotel when it occurred to me that although the hotel door mostly blocked my view of the hallway outside, there was a peephole that was not blocking the view,” says Skycure CTO Yair Amit.

“This was my epiphany that led me to think that if there were a hole in the overlay, the OK button could be ‘mostly covered’ and still accept a touch in the potentially very small area that was not covered, thereby bypassing the new protection and still hiding the true intent from the user. Elisha Eshed, back in the Skycure office, was quick to jump on this and verify that this method works on Lollipop devices.”

The same game app that was used in the previous attack has been made to test this new method, and it turned out to be successful:

Google has been notified of the issue, but they decided not to fix it and accept this risk as a consequence of its current design, says Amit.

Still, there is a silver lining: even before this latest revelation they made exploitation of these Android features a bit more difficult in Android Marshmallow (6.x), by making it require the user to manually allow an app to create a system overlay by changing permissions in Settings -> Apps -> Draw over apps settings.

“So although Marshmallow may still be vulnerable, it is significantly more difficult to exploit,” he notes.