Peephole attack could leave more than a billion Android devices open to clickjacking
Earlier this year we reported on the risk Android devices faced from a technique called Accessibility Clickjacking which would allow attackers to monitor all of a user's activity.
At the time of that story the company that uncovered the vulnerability, Skycure, thought that it could affect around half a billion devices. It now believes that despite additional protection being added from Android Lollipop, more than a billion devices may be at risk.
Android Accessibility Services provide interface enhancements to help users interact with their devices. It offers the ability to draw over apps which allows graphical overlays to programs that may allow touches to act on the program below, even if the overlay is not transparent. Combining these two features, a malicious hacker can trick a user into granting virtually unlimited permissions to their malware.
From Lollipop on, Google added additional protection to the final 'OK' button that would grant these accessibility permissions. This is intended to let Android programmers make sure that if a user is going to turn on Accessibility Services, the OK button cannot be covered by an overlay, and the user would be sure to know what they are allowing.
Skycure’s co-founder Yair Amit says, "I was in a hotel when it occurred to me that although the hotel door mostly blocked my view of the hallway outside, there was a peephole that was not blocking the view. This was my epiphany that led me to think that if there were a hole in the overlay, the OK button could be ‘mostly covered’ and still accept a touch in the potentially very small area that was not covered, thereby bypassing the new protection and still hiding the true intent from the user".
Researchers were able to verify that this method works on Lollipop devices, extending the attack surface of Accessibility Clickjacking to nearly all (95.4 percent at the time of writing) active Android devices.
You can find out more about the vulnerability and how to guard against falling prey to it on the Skycure blog and there’s a video showing the exploit in action below.