‘Accessibility Clickjacking’ malware could impact 500 million Android devices

Share this…

Researchers at threat defense company Skycure have uncovered an Android proof of concept malware that uses accessibility services to allow attackers to spy on and even control a device.

It can monitor all of a victim’s activity and allow attackers to read, and possibly compose, corporate emails and documents via the victim’s device, as well as elevating their permissions to remotely encrypt or even wipe the device.

Accessibility APIs, which were introduced in Android 1.6 and significantly enhanced in Android 4.0, allow Accessibility Services to have access to the contents of the interfaces that a user interacts with, when reading or composing an email, browsing or working on a document for example. They can also perform actions on the behalf of the user. They’re intended to help users with disabilities, by allowing the creation of system-wide text to speech tools, for example. But while having legitimate uses, these capabilities are also extremely attractive to malware writers.

Using Accessibility Clickjacking could allow malicious applications to access all text-based sensitive information on an infected Android device, as well as take automated actions via other apps or the operating system itself, all without the device user’s consent. This would include access to both personal and work emails, SMS messages, data from messaging apps, sensitive data on business applications such as CRM software, marketing automation software and more.

More detail on the threat is available on the SkyCure blog there’s also a video demonstration of how it works below