{
	"id": "eeb90967-fac7-411f-93a4-5c082224b7f9",
	"created_at": "2026-04-06T01:29:59.803164Z",
	"updated_at": "2026-04-10T03:20:53.671523Z",
	"deleted_at": null,
	"sha1_hash": "ff1285e26f297ca74d2213b2641a5ea6730aeb58",
	"title": "“Accessibility Clickjacking” - The Next Evolution in Android Malware that Impacts More Than 500 Million Devices [update – 1.34 Billion Devices!] »",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 596627,
	"plain_text": "“Accessibility Clickjacking” - The Next Evolution in Android\r\nMalware that Impacts More Than 500 Million Devices [update –\r\n1.34 Billion Devices!] »\r\nBy 03 Mar, 2016 | By Yair Amit\r\nPublished: 2016-03-04 · Archived: 2026-04-06 00:10:22 UTC\r\nUpdate: After presenting this research at RSA, confirmed on all Android versions through KitKat, it occurred to\r\nme that there may be a way to also run this on Android devices running Lollipop. My team was then able to test\r\nthis and verify that Lollipop is also vulnerable to Accessibility Clickjacking, elevating the total exposure to 95.4%\r\nof all Android devices.\r\nAfter reading this blog, please see my new blog where I explain the additional steps hackers can take to use this\r\nexploit on almost any Android device in use today.\r\n________\r\nDuring our RSA Conference presentation today (Thursday, March 03, 2016 | 9:10 AM | West | Room: 3009), we\r\ncovered the ongoing transition of mobile malware from being an inconvenience to consumers to a weapon that can\r\nbe used by the hacker marketplace to steal sensitive corporate data.\r\nWe showed how modern mobile malware can evade detection by malware scanners that rely on signatures, static\r\nand dynamic analysis approaches. Then, we uncovered a working Android malware PoC that can persistently\r\nmonitor all of a victim’s activity, and allow attackers to read and possibly compose corporate emails and\r\ndocuments via the victim’s device, as well as elevate their permissions to remotely encrypt or wipe the device.\r\nOne of the most interesting traits of this kind of malware is its low footprint: it does not require rooting the device\r\nand asks for limited permissions upon installation. Yet, this malware is able to circumvent many of the protections\r\nthat most users assume are reliably protecting their Android devices and compromise corporate resources used via\r\nthe device.\r\nWhat are Accessibility Services and Why Are They Interesting?\r\n“An accessibility service is an application that provides user interface enhancements to assist users with\r\ndisabilities, or who may temporarily be unable to fully interact with a device.” (Android’s Developer\r\nDocumentation).\r\nAccessibility APIs, which were introduced in Android 1.6 and significantly enhanced in Android 4.0, allow\r\nAccessibility Services to have access to the contents of the interfaces that a user interacts with (e.g., reading or\r\ncomposing an email, browsing or working on a document), as well as perform actions on the behalf of the user.\r\nThese capabilities are great for aiding users with disabilities, as they can allow the creation of system-wide text to\r\nhttps://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/\r\nPage 1 of 11\n\nspeech tools, for example. However, these capabilities are also extremely attractive to malicious malware writers.\r\nYet we don’t see major malware utilize Accessibility APIs “in the wild.” Why?\r\nAndroid was built with the pre-ingrained understanding that Accessibility Services pose a clear threat to users.\r\nConsequently, in order for an Android App to gain Accessibility permissions, the user has to explicitly go through\r\na rather long and unnatural process with a security warning at the end of it.\r\nDemonstration of the Accessibility Permissions Approval Process\r\nAn error occurred.\r\nUnable to execute JavaScript.\r\nAs you can see in this video, a malware that requires this process to be manually done by a victim is unlikely to\r\nget a major traction.\r\nIntroducing “Accessibility Clickjacking” Malware\r\nClickjacking is a term for a malicious UI redressing technique that tricks a victim into clicking on an element that\r\nis different than the one the victim believes to be clicking on. This technique, which relied on the ability of\r\nmalicious websites to load a seemingly benign webpages with an invisible overlay from another service (attacked\r\nservice), used to be a major concern in the web-application security world and yielded a variety of attacks against\r\nimportant services or frameworks, such as Facebook, Twitter and Flash.\r\nWhile a variety of capabilities have been implemented into web browsers and web servers in order to mitigate the\r\nrisk of clickjacking, mobile still remains vulnerable and it turns out that Android is susceptible to a similar kind of\r\na threat.\r\nIt is worth noting that Clickjacking is not a theoretical threat – just a month ago, a ransomware named\r\nAndroid.Lockdroid.E that utilized Android Clickjacking to gain Admin rights was found by Symantec.\r\nhttps://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/\r\nPage 2 of 11\n\nAs we were trying to come up with an effective way to get victims to go through the series of clicks required to\r\napprove Accessibility permissions, we decided to utilize Clickjacking for the task.\r\nWe will be covering additional details in an upcoming webinar on this topic. Register to attend here.\r\nDemonstration of the Attack Flow\r\nThe following video demonstrates:\r\nThe victim plays a naive “Rick and Morty” themed rat-hitting game, which looks benign (yes, we can\r\ncertainly improve on the graphics side – if we had time and resources to focus on non-customer-centric\r\nproblems). What actually happens in the background might come as a surprise to the victim – his/her clicks\r\nare actually propagated to an underlying and invisible layer of the operating system – the Accessibility\r\napproval dialog. Completing the game means that the victim unknowingly approved Accessibility\r\npermissions for the “benign game”!\r\nThe victim then continues using his/her Android device and composes an email to his/her CEO via the\r\nGmail app. Every action from now on is recorded by the “Rick and Morty” game.\r\nAn error occurred.\r\nTry watching this video on www.youtube.com, or enable\r\nJavaScript if it is disabled in your browser.\r\n \r\nThe Impact of “Accessibility Clickjacking”\r\nhttps://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/\r\nPage 3 of 11\n\nAccessibility Clickjacking can allow malicious applications to access all text-based sensitive information on an\r\ninfected Android device, as well as take automated actions via other apps or the operating system, without the\r\nvictim’s consent. This would include all personal and work emails, SMS messages, data from messaging apps,\r\nsensitive data on business applications such as CRM software, marketing automation software and more.\r\nTaking it to The Next Level\r\nOnce Accessibility has been enabled on the device, hackers can even change admin permissions. No only that, the\r\nhacker can do so without having the victim click on anything or be aware of it happening. For example, the\r\nfollowing video allows Rick and Morty game to enable a new Device Admin. This can have extreme implications\r\nincluding hacker’s ability to encrypt the device’s storage, change or disable its passcode or even wipe the device\r\nremotely.\r\nAn error occurred.\r\nTry watching this video on www.youtube.com, or enable\r\nJavaScript if it is disabled in your browser.\r\n \r\nTechnical Details\r\nThis attack consists of a combination of permissions an Android app can request.\r\n1. The SYSTEM_ALERT_WINDOW (“draw over other apps”) permission. This permission allows an\r\nAndroid app to create any view over other apps. A great example of using this feature is Facebook\r\nMessenger’s “Chat Heads” feature: allowing a user to read and reply to messages while using other apps.\r\nWhen creating an overlay view, a variety of flags can be used to specify the view’s position and behaviour.\r\nIn our example, we use TYPE_SYSTEM_OVERLAY to position the view over everything else with\r\nFLAG_NOT_FOCUSABLE, passing touch events to the view under the overlay.\r\n2. An accessibility service implementation. An app can implement an accessibility service to assist a user\r\nwith “visual, physical or age-related limitations”.\r\nThese apps receive rendering, touch, text and notifications events and respond to them.\r\nhttps://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/\r\nPage 4 of 11\n\nEnabling an accessibility service shows the user a clear warning of what it will be able to do with the new\r\npermissions.\r\nOur PoC shows what an attacker can do when combining these two Android features: a user can enable an\r\naccessibility service, without his/her consent or understanding of the risks involved in this action just by playing a\r\nsimple game.\r\nList of Android Versions Affected by Accessibility Clickjacking\r\nWe were able to demonstrate that the issue impacts all versions of Android except the last two versions – 5.x and\r\n6.x. This would account for about 65% of the devices at this point of time – a staggering number of more than 500\r\nMillion Android devices being vulnerable.\r\nVersion Codename API Distribution\r\n2.2 Froyo 8 0.1%\r\n2.3.3 – 2.3.7 Gingerbread 10 2.7%\r\n4.0.3 – 4.0.4 Ice Cream Sandwich 15 2.5%\r\n4.1.x Jelly Bean 16 8.8%\r\n4.2.x 17 11.7%\r\n4.3 18 3.4%\r\n4.4 KitKat 19 35.5%\r\n5.0 Lollipop 21 17.0%\r\n5.1 22 17.1%\r\n6.0 Marshmallow 23 1.2%\r\nhttps://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/\r\nPage 5 of 11\n\nSource: Android.com\r\nRemediation\r\nWith the Skycure App, one could persistently detect threats across all mobile attack vectors, including malware,\r\nand automatically apply relevant security and compliance policy to alert on, quarantine, or block infected devices.\r\nThe following is a list of user behavior recommendations to better protect end users from mobile threats:\r\n1. Update the operating system to the latest as soon as an update becomes available\r\n2. Do not click on any dialogue boxes popping up on your phone unless and until you are sure about the\r\naction that caused them to appear\r\n3. Do not install applications from third-party app stores if you do not trust them (while in many cases this is\r\nnot a realistic option, try to switch off the setting that allows third-party app installation)\r\n(a) Step 1 – Open “Settings” app.\r\n(b) Step 2 – Navigate to “Security” settings\r\n(c) Step 3 – Uncheck “Unknown sources”\r\nhttps://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/\r\nPage 6 of 11\n\nhttps://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/\r\nPage 7 of 11\n\n4. Check for apps that utilize accessibility permissions on your device and turn this option off if you don’t\r\nrecall turning it on or if you do not require that functionality.\r\n(a) Open “Settings” app.\r\n(b) Navigate to “Accessibility” settings\r\n(c) Make sure there is either no there is no group named “Services”, or the group has no enabled entries.\r\nhttps://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/\r\nPage 8 of 11\n\nhttps://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/\r\nPage 9 of 11\n\n5. Download a mobile threat defense app to scan your device for any existing and future malicious\r\napplications.\r\nIf you need help with assessing whether your organization is at risk because of any mobile vulnerability, threat or\r\nattack, you can request a free trial of Skycure Enterprise Edition here.\r\nAcknowledgments\r\nI’d like to thank Elisha Eshed from Skycure Research for his great contribution to this research.\r\nAre your mobile devices impacted? Find out with a free assessment.\r\nhttps://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/\r\nPage 10 of 11\n\nSource: https://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/\r\nhttps://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/"
	],
	"report_names": [
		"accessibility-clickjacking"
	],
	"threat_actors": [],
	"ts_created_at": 1775438999,
	"ts_updated_at": 1775791253,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff1285e26f297ca74d2213b2641a5ea6730aeb58.pdf",
		"text": "https://archive.orkl.eu/ff1285e26f297ca74d2213b2641a5ea6730aeb58.txt",
		"img": "https://archive.orkl.eu/ff1285e26f297ca74d2213b2641a5ea6730aeb58.jpg"
	}
}