A new pair of Android vulnerabilities were recently discovered, according to the Skycure.
The group reported that both vulnerabilities would enable dangerous personal apps to look at, change and even take content that should be securely stored in the Work profile of an Android device.
Google’s work features in Android were produced after the use of personal devices in the workplace began to skyrocket. The goal was to allow a user to create a profile with business-level security, while leaving the original, un-managed personal profile open.
“The Android mechanism of user separation relies on an additional sandbox or secure container, where apps outside the sandbox cannot access data inside the sandbox,” CTO of Skycure Yair Amit said in a recent blog post. “In other words, no application installed within the device’s personal profile should have any kind of access to the activity or content in the work profile.”
But vendor Skycure pointed out that two ‘app-in-the-middle’ attacks could penetrate it.
For example, a malicious app could take actions on notifications, whether work related or not, given that notifications are enabled at the device level. And critical information such as emails could appear in those notifications. The malicious app may also have the power to transmit the information viewed.
What’s even more troublesome is that a hacker may be able to use the method to get to even more crucial data, or “gain even greater access into sensitive work information by initiating a forgot[ten] password process on some enterprise system and hijacking the subsequent on-device notification to grant himself full enterprise access, even outside of the context of the mobile device,” Amit said.
He went on to say, “To keep this attack covert, the malicious app can immediately dismiss the notification and ‘archive’ the recovery email using the Android Notifications API so the victim is completely unaware they have been hacked….The attacker may even capture two-factor authentication and administrators will not have any visibility of the theft.”
The second vulnerability was found in the Accessibility Service, which helps users navigate their devices. While this is helpful, it’s also a risk given that the service needs access to all of the content and controls on the device. This is an easy target for hackers.
“This app-in-the-middle resides in the personal profile, yet is effective in stealing corporate information as the user interacts with it,” Amit said. “The personal profile cannot be monitored or controlled from the work profile, so even if IT administrators try to enforce security on the work profile (e.g., by restricting the profile settings or allowing only whitelisted apps) it won’t be possible to detect any exposure of sensitive information that uses the Accessibility Service, as they cannot access the personal profile. In order to perform such an attack, a malicious application would register as an Accessibility Service, present it with an innocent label, and manipulate the user to grant the access.”
Android has classified these threats as “intended behaviors,” so a patch is not expected.
Stay with us for updates should they become available.