Skip to main content
  1. Home
  2. Mobile
  3. News

Malicious hackers could exploit flaws in Android for Work to nab sensitive data

Kyle Wiggers
By

android 23 gingerbread deprecated for work
wutlufaipy/123RF
One of the pillars of Google’s enterprise-focused “work features in Android platform,” previously called Android for Work, is security. But a newly discovered exploit demonstrated at the RSA conference in San Francisco on February 16 showed how an attacker could view, steal, and even manipulate content on a corporate Android smartphone without tipping off IT administrators.

The flaw, discovered by Yair Amit, chief technology officer of cybersecurity firm Skycure, has to do with the way Android for Work handles “sandboxes,” or protects user profiles. The service operates on the idea of a “work” profile with business-level controls, enterprise applications, corporate email, and secure documents on a smartphone or tablet. This secure profile effectively acts as a separate user, though it shares icon badges and notifications with the personal profile.

Recommended Videos

This concept of sandboxing — creating a secure container where apps outside the work profile can’t access data inside it — is key to Android for Work’s conceit. But it isn’t bulletproof.

Related

One potential line of attack involves Android’s notifications framework. Incoming Android for Work messages are designated with a red briefcase icon in Android’s notifications window, giving the impression that they remain segregated from those in the personal profile.

But notifications on Android are a device-level permission, meaning apps in the personal profile can potentially manipulate the content of notifications from the work profile. Malicious software could view sensitive incoming work emails, calendar appointments, file attachments, and other messages, for example, and could transmit that information to a remote server.

The second line of attack exploits a flaw in Android’s Accessibility Service, the Android component that provides usability enhancements for impaired users. It necessarily has access to virtually all of Android’s content and controls, making apps that acquire permission to use it particularly dangerous — and difficult to detect. For instance, an app could use Android’s Draw Over Apps feature, which allows apps to lay text and graphics on top of other apps, to trick a user into activity Accessibility Service or Notifications without their knowledge.

That’s not to suggest the attacks can’t be mitigated. Android 6.0 Marshmallow requires users to manually allow apps to create system overlays by changing permissions in the settings menu. And the Notifications attack requires a user to grant extraordinary permissions to an installed app. Still, Amit notes the relative ease of circumventing Android for Work’s sandboxing method by exploiting the “illusion” of security.

“The interesting thing about both of these […] methods of defeating the Android for Work profile separation is that the device and the Android operating system remain operating exactly as designed and intended,” Amit said.

“It is the user who must be tricked into placing the software on the device and activating the appropriate services that allow the malware access to sensitive information. [The] illusion of a secure container […] tends to allow people to let their guard down in the belief that the environment itself is a sufficient security mechanism to protect data.”

Editors' Recommendations

Topics
Kyle Wiggers
Kyle Wiggers
Former Digital Trends Contributor
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
I compared Google and Samsung’s AI photo-editing tools. It’s not even close
A person holding the Samsung Galaxy S24 Ultra and Google Pixel 8 Pro.

The Samsung Galaxy S24 Ultra (left) and Google Pixel 8 Pro Andy Boxall / Digital Trends

Most phones nowadays are equipped with dual lens or triple lens camera systems and have powerful photo-editing tools baked natively into the software. This means most people have a compact photo-editing suite in their pocket every day.

Read more
The Galaxy Z Fold 6 and Flip 6 release date just leaked
Two Galaxy Z Fold 5 phones next to each other -- one is open and one is closed.

The Samsung Galaxy Z Fold 5 (left) and Galaxy Z Flip 5 Andrew Martonik / Digital Trends

Samsung is just months away from its next Unpacked event, where it will announce the previously teased Galaxy Ring alongside the next Galaxy Z Fold and Z Flip phones. The event, which could have the most number of devices launching at one Samsung event, is set a couple weeks ahead of last year's event.

Read more
Forget about the TikTok ban; now the U.S. might ban DJI
The DJI Mavic 3 Classic top view in flight

The specter of a U.S. market ban is once again looming over DJI, the biggest drone camera maker in the world. “DJI is on a Defense Department list of Chinese military companies whose products the U.S. armed forces will be prohibited from purchasing in the future,” reports The New York Times.

The defense budget for 2024 mentions a possible ban on importing DJI camera gear for federal agencies and government-funded programs. In 2021, the U.S. Treasury Department put DJI on a list of companies suspected of having ties to the Chinese military and alleged complicity in the surveillance of a minority group, culminating in investment and export restrictions.

Read more