Skip to main content

Malicious hackers could exploit flaws in Android for Work to nab sensitive data

One of the pillars of Google’s enterprise-focused “work features in Android platform,” previously called Android for Work, is security. But a newly discovered exploit demonstrated at the RSA conference in San Francisco on February 16 showed how an attacker could view, steal, and even manipulate content on a corporate Android smartphone without tipping off IT administrators.

The flaw, discovered by Yair Amit, chief technology officer of cybersecurity firm Skycure, has to do with the way Android for Work handles “sandboxes,” or protects user profiles. The service operates on the idea of a “work” profile with business-level controls, enterprise applications, corporate email, and secure documents on a smartphone or tablet. This secure profile effectively acts as a separate user, though it shares icon badges and notifications with the personal profile.

Recommended Videos

This concept of sandboxing — creating a secure container where apps outside the work profile can’t access data inside it — is key to Android for Work’s conceit. But it isn’t bulletproof.

One potential line of attack involves Android’s notifications framework. Incoming Android for Work messages are designated with a red briefcase icon in Android’s notifications window, giving the impression that they remain segregated from those in the personal profile.

But notifications on Android are a device-level permission, meaning apps in the personal profile can potentially manipulate the content of notifications from the work profile. Malicious software could view sensitive incoming work emails, calendar appointments, file attachments, and other messages, for example, and could transmit that information to a remote server.

The second line of attack exploits a flaw in Android’s Accessibility Service, the Android component that provides usability enhancements for impaired users. It necessarily has access to virtually all of Android’s content and controls, making apps that acquire permission to use it particularly dangerous — and difficult to detect. For instance, an app could use Android’s Draw Over Apps feature, which allows apps to lay text and graphics on top of other apps, to trick a user into activity Accessibility Service or Notifications without their knowledge.

That’s not to suggest the attacks can’t be mitigated. Android 6.0 Marshmallow requires users to manually allow apps to create system overlays by changing permissions in the settings menu. And the Notifications attack requires a user to grant extraordinary permissions to an installed app. Still, Amit notes the relative ease of circumventing Android for Work’s sandboxing method by exploiting the “illusion” of security.

“The interesting thing about both of these […] methods of defeating the Android for Work profile separation is that the device and the Android operating system remain operating exactly as designed and intended,” Amit said.

“It is the user who must be tricked into placing the software on the device and activating the appropriate services that allow the malware access to sensitive information. [The] illusion of a secure container […] tends to allow people to let their guard down in the belief that the environment itself is a sufficient security mechanism to protect data.”

Kyle Wiggers
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
Will my iPhone get iOS 26? Here’s every supported model
We've got the full list of iOS 26 supported devices - find out if you're getting the new iPhone update
iOS 26 features on a series of iPhone screens

Apple announced iOS 26 at WWDC 2025, and the new iPhone update comes with a fresh new 'Liquid Glass' look and plenty of features - and there are loads of iOS 26 supported devices, which is great news.

And no, you haven't missed a volley of updates since iOS 18 in 2024. Apple has skipped a bunch of numbers, so instead of giving us iOS 19 in 2025, we got iOS 26 alongside iPadOS 26, macOS 26, watchOS 26 and tvOS 26. In short, Apple's brought its operating system numbering into line. Nice.

Read more
Will my iPad get iPadOS 26? Here’s every supported model
We've got the full list of iPadOS 26 supported devices - find out if you're getting the new iPad update
iPadOS 26 home screen on an iPad

Apple announced iPadOS 26 at WWDC 2025, and the new iPad update comes with a fresh new look and plenty of features. Apple has ensured there are plenty of iPadOS 26 supported slates, so if you have a relatively new iPad you should get the update this year.

And no, you haven't missed a volley of updates since iPadOS 18 in 2024. Apple has skipped a bunch of numbers, so instead of giving us iPadOS 19 in 2025, we got iPadOS 26 alongside iOS 26, macOS 26, watchOS 26 and tvOS 26.

Read more
Will my Apple Watch get watchOS 26? Here’s every supported model
We've got the full list of watchOS 26 supported devices - find out if you're getting the new Apple Watch update
watchOS 26 on a trio of Apple Watches

Apple announced watchOS 26 at WWDC 2025, and the new Watch update comes with a fresh new look and plenty of features. Apple has ensured there are plenty of watchOS 26 supported devices, so if you have a relatively new Watch you should get the update this year.

And no, you haven't missed a volley of updates since watchOS 11 in 2024. Apple has skipped a bunch of numbers, so instead of giving us watchOS 12 in 2025, we got watchOS 26 alongside iOS 26, macOS 26, iPadOS 26, tvOS 26 and visionOS 26.

Read more