Malware just got a new face in Android devices, and it’s called “accessibility clickjacking”. This was brought to light by Mobile security outfit Skycure, saying that more than half of Android devices can be victims to this ingenious way of getting you to provide permission for malware on your system.
According to Adi Sharabani and Yair Amit, co-founders of Skycure, clickjacking basically tricks victims into clicking on an element that might not actually appear on the screen – most likely a an permission button or something like that. The trick is done by overlaying something relatively benign on the display, like a picture or an online game or an ad. You tap on the picture to click it away, but you might actually be manually allowing access to your phone’s data, and you would’ve never know it happened. See the video below.
“Accessibility Clickjacking can allow malicious applications to access all text-based sensitive information on an infected Android device, as well as take automated actions via other apps or the operating system, without the victim’s consent,” Skycure explains. “This would include all personal and work emails, SMS messages, data from messaging apps, sensitive data on business applications such as CRM software, marketing automation software and more.”
The most frightening part? Skycure was able to replicate the vulnerability on 65% of Android devices —anything from Android 2.2 Froyo to Android 4.4 KitKat. People on Lollipop and Marshmallow are relatively safe, but anything lower and you might be a victim of data mining, giving malicious elements access to your phone’s data.