Mobile security experts from Skycure have found two methods for bypassing the security containers put around “Android for Work,” allowing attackers to access business data saved in this seemingly secure environment.
“Android for Work” is a security mechanism that Google added in Android with version 5.0 (Lollipop), which it launched in 2015.
Currently rebranded under the name of “work features in Android,” this feature played a crucial role in Android’s adoption in the business sector, especially in enterprises with a BYOD (Bring Your Own Device) policy.
Android for Work designed to work as a secure sandbox
What Android for Work did was to create a separate user in the Android OS, which acted as a standalone container and a secure sandbox that prevented apps installed under regular users from accessing apps installed in Android for Work.
This allowed users to install apps that saved sensitive data in a secure environment where nosy Dropbox or Google Drive couldn’t reach to sync into private cloud sharing accounts.
On phones, the Android for Work apps, notifications, and files are all marked with a red briefcase icon, and they can’t be open unless a person has authenticated in his Android for Work user.
What Skycure researchers discovered was that even if the Android for Work ecosystem was well secured from the user’s personal space, an attacker could utilize core Android features as proxies to expand his access from the personal space to the Android for Work container.
During their tests, researchers experimented with two Android core features, more precisely with Android’s Accessibility feature and the Android Notifications system.
Using Android’s Accessibility service to attack Android for Work
According to Skycure’s Yair Amit and Shahar Areli, attackers can leverage social engineering and trick users into installing malicious apps on their phone’s personal space.
For example, an app that reads content from other apps, such as a Wikipedia search app, can trick the user into giving it access to the Accessibility service, arguing that it needs this access in order to function properly.
A user won’t see a problem in granting the app this permission, since he has no idea it could be turned against him.
According to Skycure, the malicious app, now with access to the Accessibility service, can relay malicious commands to read the content of Android for Work files and apps, using the Accessibility service as a proxy.
The Android for Work container will see the requests coming from the Accessibility service, and will allow it, since this is a core OS service, used under normal circumstances to assist users with various impairments.
For all intent and purpose, in Android’s internal thinking, the Accessibility service works normally, without knowing the service has been hijacked by a malicious app. Skycure researchers also explain their attack scenario in the video below.
Using Android’s notifications system to attack Android for Work
The second Android feature that can be used as a proxy to relay malicious commands from the personal userspace to the secure Android for Work container is the Notifications system, used to show alerts in real-time at the top of the phone’s screen.
Just like in the previous scenario, all it takes is to convince a user into installing a malicious app on his device.
All the app has to do is to ask the user to grant it access to ALL notifications on the device. If the attacker carefully chooses the app’s scope, users won’t think twice about giving it this permission.
Once the malicious app has access to the entire Android Notifications system, it can read the content of notifications even for apps installed in the Android for Work container.
Furthermore, Skycure experts also present an attack scenario where access to the Notifications can prove fatal for Android for Work users.
For example, the malicious app can initiate a password reset operation for a business application or website, suppress notifications, and gain access to the user’s various business apps and accounts.
Similarly, the malicious app can hide two-factor authentication logins when accessing sensitive accounts, even if the notifications pop up for a secure Android for Work application. A video presentation of this attack vector is available below.
Just like with the Accessibility feature, the problem is that all the malicious commands appear to come from a core Android feature which the Android for Work container can’t disable without affecting the legitimate apps.
This is also the reason why Google has told Skycure that it can’t fix these issues without crippling Android for Work. Instead, they allowed researchers to publicize their work, in order for Android for Work users to become acquainted with this new attack vector.
Currently, the only way to mitigate such attacks is to use a mobile security solution that can catch malicious apps and warn users of potential dangers before attackers compromise Android for Work data.