Skycure security researcher Yair Amit has revealed a chained Android attack path that will greatly enhance attackers’ ability to compromise 1.34 billion devices, or 95 percent of those in use.
The Accessibility Clickjacking attack exploits flaws in protections for Android’s accessibility and draw-over-apps features to allow attackers to hijack devices.
The two features are popular in mobile malware, some of which regularly passes Google’s security checks to make it on the official Play Store.
Amit’s attack is a much more polished and capable demonstration of how those features can be abused to compromise modern and old handsets.
It has been updated since its initial disclosure in March after Amit and colleague Elisha Eshed discovered it applied to updated Android Lollipop version 5 devices, the most popular of all Android platforms, and affected an additional 840 million devices.
It means a covert malicious application could create an opaque overlay image and prompt users to click on specific seemingly-benign areas. Doing so would trigger a process behind the image that would open and activate accessibility settings.
Google tried to fix the flaw by blocking overlays of the accessibility OK button but Amit has found it can still be clicked.
Submitted by: Arnfried Walbrecht