More than 1 Billion Android Devices Susceptible to Accessibility Clickjacking Exploits

Exploit allows hackers to monitor all user activity, remotely wipe or encrypt device

Experts Corner By Yair Amit, CTO & co-founder @ Skycure

One of the most devastating Android vulnerabilities was recently discovered by Skycure Research Labs that impacts 95.4% of Android devices in use today. Exploits that take advantage of this vulnerability would completely evade detection by malware scanners that rely on signatures or static and dynamic analysis because everything it does is completely allowed by the operating system as designed. Using this method, a malicious hacker could view all textual activity on the device, including corporate emails and messaging, without alerting the user. He or she could grant themself administrator rights, encrypt the device, and even change the password and threaten to wipe the device to extract ransom. What is this vulnerability and how can users and organizations protect themselves from it?

Accessibility Clickjacking exploits two otherwise benign features of the Android operating system. Accessibility Services provide user interface enhancements to help users interact with their device, and the ability to draw over apps allows graphical overlays to programs that may allow touches to enact on the program below it, even if the overlay is not transparent. Combining these features, a malicious hacker could create a game that encourages the user to tap certain locations on the screen, while passing those taps through to the Accessibility Services screen to grant full privileges to the “game” the hacker controls remotely.

An example of the attack can be viewed in this video:

This vulnerability was originally believed to be relevant for all versions of Android through KitKat (4.4) because in Lollipop (5.x) the Android team added additional protection to the final “OK” button that would grant accessibility permissions. Skycure researchers found a way around this protection by creating a hole in the overlay that obscures most, but not all, of the OK button. With this method, Lollipop is also vulnerable to this type of attack, making the total number of vulnerable devices at the time of this article 1.34 billion.

Enterprises identify security as the number one issue preventing the adoption of mobility, and traditional solutions like MDM and EMM, while great for mobile management, simply are not designed to provide the visibility necessary to identify and protect from most malware, network-based attacks or vulnerability exploits launched by malicious hackers.


Organizations looking to defend their mobile ecosystems from such threats can take the following advice:

  1. The major EMM vendors all recommend adding a Mobile Threat Defense solution, like Skycure, that is specifically designed for this purpose,
  2. The SANS Institute identifies four essential threat vectors to protect against – physical, network, malware, app/OS vulnerabilities – and recommends that solutions should have deep analysis capabilities that leverage crowd-sourced intelligence.
  3. Users are advised to update to the most recent version of Android, download only apps from trusted sources, such as the Google Play Store, and run an updated version of a Mobile Threat Defense solution.