Skip to main content
  1. Home
  2. Mobile
  3. News

Malicious hackers could exploit flaws in Android for Work to nab sensitive data

Kyle Wiggers
By

android 23 gingerbread deprecated for work
wutlufaipy/123RF
One of the pillars of Google’s enterprise-focused “work features in Android platform,” previously called Android for Work, is security. But a newly discovered exploit demonstrated at the RSA conference in San Francisco on February 16 showed how an attacker could view, steal, and even manipulate content on a corporate Android smartphone without tipping off IT administrators.

The flaw, discovered by Yair Amit, chief technology officer of cybersecurity firm Skycure, has to do with the way Android for Work handles “sandboxes,” or protects user profiles. The service operates on the idea of a “work” profile with business-level controls, enterprise applications, corporate email, and secure documents on a smartphone or tablet. This secure profile effectively acts as a separate user, though it shares icon badges and notifications with the personal profile.

Recommended Videos

This concept of sandboxing — creating a secure container where apps outside the work profile can’t access data inside it — is key to Android for Work’s conceit. But it isn’t bulletproof.

Related

One potential line of attack involves Android’s notifications framework. Incoming Android for Work messages are designated with a red briefcase icon in Android’s notifications window, giving the impression that they remain segregated from those in the personal profile.

But notifications on Android are a device-level permission, meaning apps in the personal profile can potentially manipulate the content of notifications from the work profile. Malicious software could view sensitive incoming work emails, calendar appointments, file attachments, and other messages, for example, and could transmit that information to a remote server.

The second line of attack exploits a flaw in Android’s Accessibility Service, the Android component that provides usability enhancements for impaired users. It necessarily has access to virtually all of Android’s content and controls, making apps that acquire permission to use it particularly dangerous — and difficult to detect. For instance, an app could use Android’s Draw Over Apps feature, which allows apps to lay text and graphics on top of other apps, to trick a user into activity Accessibility Service or Notifications without their knowledge.

That’s not to suggest the attacks can’t be mitigated. Android 6.0 Marshmallow requires users to manually allow apps to create system overlays by changing permissions in the settings menu. And the Notifications attack requires a user to grant extraordinary permissions to an installed app. Still, Amit notes the relative ease of circumventing Android for Work’s sandboxing method by exploiting the “illusion” of security.

“The interesting thing about both of these […] methods of defeating the Android for Work profile separation is that the device and the Android operating system remain operating exactly as designed and intended,” Amit said.

“It is the user who must be tricked into placing the software on the device and activating the appropriate services that allow the malware access to sensitive information. [The] illusion of a secure container […] tends to allow people to let their guard down in the belief that the environment itself is a sufficient security mechanism to protect data.”

Editors' Recommendations

Topics
Kyle Wiggers
Kyle Wiggers
Former Digital Trends Contributor
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
One of the biggest Oura Ring competitors just did something huge
The Ultrahuman Ring Air and the Oura Ring, resting on a table.

Ultrahuman, the maker of the Ultrahuman Ring Air, is making its way to U.S. production grounds. The company is setting up a production facility in Indiana, which will mark the first time a smart ring from Ultrahuman will be assembled from scratch on U.S. soil.

“The UltraFactory will offer an end-to-end production capability and is based on the company’s first operational model of such a facility in India,” the company says.

Read more
Best Verizon new customer deals: Galaxy S24, iPhone and more
Verizon logo on a smartphone screen in a dark room and a finger touching it.

If you’re in the market for one of the best phones, or any new phone for that matter, you’re going to need a good carrier. Verizon has long been one of the most popular options, as it boasts one of the most reliable networks in the United States. It offers some of the best cell phone plans out there, and for new customers Verizon also offers some pretty impressive discounts on new phones. In many cases this means you can brand new, recently released phones entirely for free when signing up with Verizon. And that’s the case right now, as we’re currently seeing some of the best Verizon new customer deals we’ve seen. You can pretty easily land a new iPhone, Samsung Galaxy phone, and Google Pixel for free, and we’ve got all of the details on how to do so. If that sounds enticing, read onward and start shopping the best Verizon new customer deals available right now.
Free iPhone SE (3rd Gen)

The 2022 release of the Apple iPhone SE is yours for free when you sign up for a new 5G data plan on Verizon -- no trade-ins required. It's the best small smartphone in our list of the best smartphones with a 4.7-inch Liquid Retina display, but it doesn't sacrifice performance as it's powered by Apple's A15 Bionic chip that's also found in the iPhone 13 line and pre-installed with iOS 15. The latest iPhone SE is equipped with a single 12MP rear sensor and 7MP selfie camera, which are boosted by Apple's software to enable better photographs.

Read more
AirTags range: here’s how far the tracker can reach
An AirTag attached on a keyring

Apple AirTags are a helpful tool for tracking valuable possessions like wallets, keys, luggage, and backpacks. These tags employ various technologies that allow you to track your items from short and long distances using your compatible Apple device, such as an iPhone 15 Plus. You might wonder how far you can track your items with AirTags. It's time to find out.
AirTags range, explained

The range of AirTags varies depending on the method you use to locate them. A Bluetooth connection will work when your AirTags are close to your supported Apple device. Otherwise, Apple's Find My network is utilized. Luckily, you don't have to choose the method because it's selected behind the scenes automatically.

Read more