SkyCure_Accessibility_Clickjacking

Clickjack Exploit Affects Android 4.4 KitKat And Older

March 4, 2016 - Written By Daniel Fuller

Vulnerabilities and hacks pop up all the time, springing from just about every conceivable method and corner of the internet. Some may be fairly innocuous, while some, such as the late Heartbleed and Stagefright scares, can be devastating and widespread to the point that they become widely known. Exploits often take place in apps not officially sanctioned by the Play Store, though it is far from an infallible app resource. The newest exploit found comes to us courtesy of Skycure’s research labs, where an exploit in Android 4.4 and older has been found. The exploit takes advantage of clickjacking, where a click or tap in an app actually has hidden functions and consequences. In this case, it uses Android’s accessibility settings to gain control of a system and monitor everything that happens on the device.

In the demonstration shown below, SkyCure shows off a game based on the Adult Swim show Rick & Morty. In the game, users tap a character that pops up repeatedly. When doing this, however, they’re actually making clicks that will allow the app to have privileges as a Device Administrator, a level of control usually reserved for system apps, Google apps and anti-malware apps, among very few other types of apps. From there, it hooks into the device’s accessibility framework. The framework is designed to help users that are visually or hearing impaired, meaning it has access to a wide range of device functions. After that, they demonstrate a message being typed in the Gmail app being captured keystroke for keystroke. With that kind of privilege, of course, the exploit can exert much more control over your device than that.

The hooks and ladders used by the exploit were pre-patched in Android 5.0 Lollipop and above, but use of Android 4.4 KitKat is still widespread, even on brand new devices in the low end of the market. There are also many people out there using legacy devices that may be vulnerable. According to one of SkyCure’s researchers, the only permission the exploit needed to work was to draw over other apps, meaning an app with this exploit could very well make it into the Play Store. Users are cautioned to avoid venturing outside the Play Store if possible and, if they must download elsewhere, be mindful of the permissions. If you suspect your system has been compromised via this exploit, check your security settings; the device administrators option will show any apps that have such permissions.