New research claims that clickjacking attacks affect more than 95% of Android devices, but the actual number of...
devices at risk is more difficult to determine.
Skycure updated research that was originally presented at the RSA Conference 2016 that claimed clickjacking attacks affected about 65% of all Android devices or more than 500 million devices worldwide. The updated report, however, raised that percentage to 95.4%, which would mean there are 1.34 billion Android devices at risk.
The so-called Accessibility Clickjacking malware takes advantage of Android accessibility services and the ability to draw over other apps in order to gain control of the mobile device, including acquiring elevated privileges and exposing the content of all apps on the device. Basically, users would be tricked into turning on accessibility services by clicking through the Settings menu that was obscured by an app drawn over it.
The estimated number of devices affected rose because Skycure originally thought the clickjacking attack could not be performed on Android 5.0 and higher because accessibility services couldn't be turned on if the "OK" button was covered by a screen overlay. However, Yair Amit, CTO at Skycure, realized it was still possible as long as there was a small cutout of the screen overlay where that "OK" button was.
Amit noted that Android 6.0 Marshmallow is "significantly more difficult to exploit" because users are required to manually allow specific apps to draw over other apps.
In the worst case scenario, Amit claims this clickjacking attack "can have extreme implications including hacker's ability to encrypt the device's storage, change or disable its passcode or even wipe the device remotely."
Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said the clickjacking attack is dangerous, but the risk may not be very widespread despite the number of devices potentially impacted.
"This is not an OS vulnerability per say but more of an abused feature that could lead to potentially malicious actions," Arsene told SearchSecurity. "While it is true that a great deal of Android devices could potentially be victimized, it all boils down to users actually installing these malicious applications. For the most part, Google Play does a fairly good job at bouncing such apps and only third-party marketplaces could be harboring such booby-trapped applications. In case one actually slipped and ended up in the official store, it's likely the number of victims would be relatively small, both because the app would be reported by security vendors and the fact that it will only be downloaded by a limited number of users."
Read more about the second annual Android Security Report.
Learn about the fundamentals of Android app security.