Skip to main content
  1. Home
  2. Mobile
  3. News

Malicious hackers could exploit flaws in Android for Work to nab sensitive data

Kyle Wiggers
By

android 23 gingerbread deprecated for work
wutlufaipy/123RF
One of the pillars of Google’s enterprise-focused “work features in Android platform,” previously called Android for Work, is security. But a newly discovered exploit demonstrated at the RSA conference in San Francisco on February 16 showed how an attacker could view, steal, and even manipulate content on a corporate Android smartphone without tipping off IT administrators.

The flaw, discovered by Yair Amit, chief technology officer of cybersecurity firm Skycure, has to do with the way Android for Work handles “sandboxes,” or protects user profiles. The service operates on the idea of a “work” profile with business-level controls, enterprise applications, corporate email, and secure documents on a smartphone or tablet. This secure profile effectively acts as a separate user, though it shares icon badges and notifications with the personal profile.

Recommended Videos

This concept of sandboxing — creating a secure container where apps outside the work profile can’t access data inside it — is key to Android for Work’s conceit. But it isn’t bulletproof.

Related

One potential line of attack involves Android’s notifications framework. Incoming Android for Work messages are designated with a red briefcase icon in Android’s notifications window, giving the impression that they remain segregated from those in the personal profile.

But notifications on Android are a device-level permission, meaning apps in the personal profile can potentially manipulate the content of notifications from the work profile. Malicious software could view sensitive incoming work emails, calendar appointments, file attachments, and other messages, for example, and could transmit that information to a remote server.

The second line of attack exploits a flaw in Android’s Accessibility Service, the Android component that provides usability enhancements for impaired users. It necessarily has access to virtually all of Android’s content and controls, making apps that acquire permission to use it particularly dangerous — and difficult to detect. For instance, an app could use Android’s Draw Over Apps feature, which allows apps to lay text and graphics on top of other apps, to trick a user into activity Accessibility Service or Notifications without their knowledge.

That’s not to suggest the attacks can’t be mitigated. Android 6.0 Marshmallow requires users to manually allow apps to create system overlays by changing permissions in the settings menu. And the Notifications attack requires a user to grant extraordinary permissions to an installed app. Still, Amit notes the relative ease of circumventing Android for Work’s sandboxing method by exploiting the “illusion” of security.

“The interesting thing about both of these […] methods of defeating the Android for Work profile separation is that the device and the Android operating system remain operating exactly as designed and intended,” Amit said.

“It is the user who must be tricked into placing the software on the device and activating the appropriate services that allow the malware access to sensitive information. [The] illusion of a secure container […] tends to allow people to let their guard down in the belief that the environment itself is a sufficient security mechanism to protect data.”

Editors' Recommendations

Topics
Kyle Wiggers
Kyle Wiggers
Former Digital Trends Contributor
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
How to view Instagram without an account
An iPhone 15 Pro Max showing Instagram via a web browser.

Instagram is one of the largest social media platforms on the planet. Whether you want to share a family photo, what you had for lunch at your favorite cafe, or a silly video of your cat, Instagram is the place to do it.

Read more
Something odd is happening with Samsung’s two new budget phones
A person holding the Samsung Galaxy A35 and Galaxy A55.

The Samsung Galaxy A35 (left) and Galaxy A55 Andy Boxall / Digital Trends

I’ve been using the Samsung Galaxy A55 for almost two weeks and have now swapped my SIM card over to the Samsung Galaxy A35. These are the latest entries in Samsung's budget-minded Galaxy-A series. In all honestly, I can barely tell the difference between them.

Read more
Learn 14 languages: Get $449 off a lifetime subscription to Babbel
A person using the Babbel app on their smartphone.

Learning a new language no longer requires you to make time for formal classes because there are now several language learning apps that you can tap. One of them is Babbel, and you can currently get a lifetime subscription to the online learning platform for only $150 from StackSocial. That's $449 off its original price of $599, but we don't know how much time is remaining before the offer expires. If you want to take advantage of the 74% discount, it's highly recommended that you complete the transaction immediately.

Why you should buy the Babbel lifetime subscription
A lifetime subscription to Babbel not only unlocks the possibility of learning one or two new languages, as the platform encompasses a total of 14 languages: English, French, Spanish, German, Italian, Portuguese, Swedish, Turkish, Dutch, Polish, Indonesia, Norwegian, Danish, and Russian. You'll be learning your new language of choice with lessons that only take 10 minutes to 15 minutes each to complete, so unlike classes with a rigid schedule, you can learn at your own pace and at any time you're free through Babbel. The lessons cover real-life topics, and they use speech recognition technology to help you master pronunciation. You'll then test yourself through personalized review sessions that will help make sure that you retain all the information that's being taught to you.

Read more