Android for Work Accessibility Exploit



in 2014 Google created Android for work a mobile security feature that allows organizations to manage and protect mobile work apps and data in isolation from the personal apps and content on the same device while improving privacy they should also prevent the exposure of work content to any personal apps or unauthorized users but it doesn't this video demonstrates how Google's implementation allows attackers to circumvent the secure separation framework using accessibility services first we can see how the work feature is supposed to work when downloading a work document while in the work profile it is only available in that context notice that when we view personal downloads the work document is not available and does not even show going back to the work profile we can view and open the work document now let's look at how an attacker can use social engineering to implement and app in the middle attack to exploit androids accessibility feature this user wants to install sticky-wicky an app that provides instant Wikipedia lookups simply by typing the desired term into any email message or document note that personal apps such as this do not have the red briefcase designation of the manage to work apps and clearly should not have access to work content opening the new app the user is asked to grant accessibility permissions so the app will be able to observe all content on the screen in order to recognize when to perform a lookup now that sticky-wicky can access any screen content the user simply types at wiki in any app such as this email then the term or topic he wishes to look up to see the Wikipedia summary now let's see what happens when the user switches to his work profile by opening one of the managed apps indicated by the red briefcase he taps on an email with confidential information and because sticky wiki is actually a malicious app the contents are silently sent to the attackers command and control server any app with accessibility services activated when installed as a personal app has full access to all content the user interacts with even content that should have been safely protected in the android for work container

Leave a Reply

Your email address will not be published. Required fields are marked *