SAN FRANCISCO—Most of us aren't stupid enough to click on a window that hands over control of our phones to a stranger. And most of us definitely wouldn't do it if our phones kicked up numerous warnings in the process. But researchers at Skycure have demonstrated that they can take control of an Android phone without the victim being any the wiser.

At the RSA Conference here, Skycure researchers will share their research with the gathered attendees. PCMag received a private briefing on the research from Skycure CTO Yair Amit prior to the public announcement. Previously, Skycure showed off unrelated research by hacking my iPhone during a phone call.

The attack uses the Android accessibility framework, which is designed to help users get the most out of their phones, even if they are visually impaired or have difficulty typing, for example. But under malicious control, Amit explained, the accessibility framework can be used to monitor user activity and take actions without users' knowledge.

Normally, activating the accessibility tools requires diving through a series of menus and confirming your choice on several screens. These are powerful tools, and you are warned repeatedly by the operating system that granting access to the framework can expose your personal data. But Skycure is able to circumvent these warnings using a technique called clickjacking.

The Attack

In our demonstration, Amit showed off a game based off the popular TV series Rick and Morty. The goal of the game was to tap a character as he moved around the screen, whack-a-mole style.

While he was tapping, the game was actually hijacking the taps in order to grant the game permission to use the Android Accessibility framework. At no point do the warning messages from the operating system appear. Instead the victim's taps in the game are translated on to the hidden dialog boxes.

This is clickjacking, where a user's input is invisibly rerouted for another purpose. It's most commonly seen on malicious webpages, where clicks are used to open other windows, or secretly view sites in order to push malicious software or earn money through affiliate advertising.

Once the malicious app can use the accessibility tools, it can see every keystroke the user enters in any app. In the demonstration PCMag saw, an email typed in the Gmail app was painstakingly captured by the malicious app.

But this app can do more. Using the accessibility framework, the app is then able to get Device Administrator access on the device. This is a special, privileged level of access usually reserved for trusted security apps or Google. The Android Device Manager, for example, uses Device Admin privileges to remotely lock, wipe, and locate lost Android devices.

In the demo we saw, the malicious app simply flashed an image on the screen—again, taken from Rick and Morty. There was no flicker, or any indication that something was amiss, but in the background the app had granted itself Device Admin. Once it has this level of access, the malicious app and its author now have a lot of control over a victim's device.

Device Admin is different from root access, and in fact the Android phone we saw was never rooted at any point in the demonstration. But Amit says that's part of the beauty of this attack. Root access can be difficult to get, and it's a dangerous move that will send up red flags. Device Admin, on the other hand, can go unnoticed unless the victim checks their security settings.

"The beauty of it is that it doesn't require rooting, but we still see everything the victim is doing and take actions," Amit told PCMag.

The Bulk of Android at Risk

Google made changes to Android's accessibility framework in version 5.0 of Android, which prevents specific buttons from being hijacked in this manner. Version 6.0 appears to be immune as well.

But because of the fractured nature of Android, Google reports that only a combined 35 percent of Android users that visit the Google Play store are using either of these versions. Using those numbers, Skycure estimates that about 66 percent of Android phones could be susceptible to this attack. The phone we saw that attack demonstrated on ran Android 4.4 Kitkat.

Staying Safe

Thankfully, it's easy to check if an attacker is taking advantage of this vulnerability. Simply open your accessibility settings and make sure that you recognize and approve of every service on the list. You can do the same for Device Admin.

As always, the best way to avoid malware is to stick with the Google Play store. While not infallible, the Play store is an excellent first line of defense against malware. However, when asked if his demonstration app would be accepted to the Play store, Amit said it was entirely possible since it only asked for a single permission: to draw over apps. Amit pointed out that trusted apps like Facebook also use this permission.

The app Skycure used in its demonstration isn't available for download, but Amit pointed out it's more than just a proof of concept. He said that Symantec had previously detected clickjacking malware called Android.Lockdroid.E that used the technique obtained admin access on Android devices.

Given all that, Amit sees a future in this kind of attack. "We expect to see more attacks like this in the wild in the very near future," he said.

If you're concerned about security and surveillance, at homne or on a mobile device, consider getting one of the best VPN services to protect your Web browsing.

Further Reading