Mobile security company Skycure at the RSA conference in San Francisco earlier this week revealed that a new malware puts more than half a billion Android smartphones at risk of being exposed to hackers. Considered as one of the most dangerous malwares, "accessibility clickjacking" creates a backdoor for hackers to gain access to all text-based sensitive information stored on the device, all without users' knowledge or authorisation.
According to Skycure, the extent of damage caused from accessibility clickjacking includes all personal and work emails, SMS, data from other messaging apps, sensitive data on business apps, such as SRM software and more. Once triggered, accessibility clickjacking allows hackers to execute unauthorised actions via other apps or the operating system itself.
The security company also noted that Android versions 5.0 (Lollipop) and 6.0 (Marshmallow) are not at the risk of accessibility clickjacking, but all previous iterations are not immune. They include, Android versions 2.2 (Froyo) to 4.4 (KitKat), which account for a staggering number of more than 500 million Android smartphones, or about 65 percent, of all devices.
The level of threat associated with accessibility clickjacking is extremely high due to its low footprint, limited permissions upon an installation and its capability to work on devices whether or not they are rooted.
"Clickjacking is a term for a malicious UI redressing technique that tricks a victim into clicking on an element that is different than the one the victim believes to be clicking on," Skycure wrote explaining the threat.
"This technique, which relied on the ability of malicious websites to load a seemingly benign webpages with an invisible overlay from another service (attacked service), used to be a major concern in the web-application security world and yielded a variety of attacks against important services or frameworks, such as Facebook, Twitter and Flash."
Tips to stay protected from accessibility clickjacking
- Keep your Android smartphone updated with the latest version of the software.
- Do not click on suspicious pop-ups.
- Do not download apps from third-party app stores. Uncheck "Unknown sources" under Settings > Security to avoid that.
- Disable apps that require accessibility permissions unless they are necessary.
- Scan your mobile for threats using suitable apps like Skycure.