As if IT security professionals didn’t have enough to worry about, Skycure has uncovered a new accessibility clickjacking proof of concept malware that could be used to spy on corporate and personal emails, as well as steal corporate data stored on mobile devices.

The malware could be used to spy on all activity on an infected device, from recording emails composed via Gmail to details entered into website forms, mobile banking apps, corporate CRM systems, or messaging apps. In contrast to many mobile malware, this form does not require rooting the device and does not need many app permissions. The footprint left by the malware is incredibility difficult to identify and the user is unlikely to be aware that their device has been compromised.

Clickjacking, also known as a UI redress attack, is the act of fooling a user into clicking on a hyperlink that is hidden in an interface underneath seemingly legitimate content. A user could be playing a mobile game and clicking on parts of the screen, yet unbeknown to them, would also be giving authorizations to a malicious mobile application. That could include any number of permissions, or could be used to authorize a download of malware onto the device.

A typical example of clickjacking is where an attacker uses a fake X button which the user clicks to close an advert. If the X also closes a dialog box or an advert, the user is unlikely to be aware that anything untoward has occurred. Yet that X could also trigger a download or give a malicious app permission to access the microphone or all text entered on the device.

Android 4.4 and Below Susceptible to Accessibility Clickjacking

Accessibility clickjacking takes advantage of accessibility APIs, which were introduced in Android 1.6. The purpose of accessibility APIs is to make Android easier to use for people with disabilities, such as the visually impaired. The benefit is the APIs can perform a number of actions so the user doesn’t have to, but that is also the problem. These APIs have access to system-wide tools, and can interact with numerous interfaces. While these APIs are certainly beneficial, they are a potential security risk that can be exploited.

The accessibility clickjacking PoC malware identified by Skycure takes advantage of accessibility APIs, and by doing so can record virtually all activities performed on the device and perform actions without users’ consent.

The example provided involves a game that takes advantage of the accessibility feature, and gets the user to click on certain parts of the screen to progress to the next level. When a click is performed it gives a permission via the underlying software. In the example it gives an application permission to record all keystrokes entered via the Gmail app.

The researchers have warned that not only can this technique be used for keylogging, but a hacker could also use the technique to change admin settings, disable functions, encrypt the device, or delete files. All Android devices except 5.x and above are susceptible to accessibility clickjacking. That is 65% of all Android phones currently in circulation.