New Attack Busts Android for Work

Malicious apps can be used to steal information secured past Google's Android for Work, security visitor Skycure openly demonstrated hither at this year's RSA. At the centre of the assault is a Google Android feature designed to separate work and personal data on smartphones.

RSA 2022 Bug Art "The basic idea is to create a separate profile on the device which has business-level controls, while leaving the original, personal profile open and unmanaged," Skycure CEO Yair Amit wrote in a blogpost. "All of the business applications, email, and documents would be managed and secured within the concern contour, while everything on the personal side remains untouched and unrestricted."

Notify Your Enemies

Amit and his team were able to breach the separation between the piece of work and individual sections of Android devices using what he calls an "app-in-the-middle set on." A nod to man-in-the-eye attacks, this tactic uses a malicious app installed in the personal sector of the phone that is able to intercept information from the secure sector and laissez passer it on to the assaulter.

The malicious app requires no special permissions other than the ability to see notifications. In a demo, the app mimicked the functionality of PushBullet, an app that lets yous mirror Android notifications on your PC.

Once installed, the app works as advertised, except that the attacker also receives a copy of your notifications.

"Since Notifications admission is a device-level permission, a malicious app in the personal profile tin can learn permission to view and take actions on ALL notifications, including work notifications, by design," Amit wrote. "Sensitive data, such as calendar meetings, email messages, and other information appears in these notifications, which are also visible to the 'personal' malicious app."

And so, all the assaulter has to practice is send a password reset request, copy the data from the intercepted notification, and seize command of personal accounts.

App in the Middle

In a 2d demonstration of the app-in-the-eye assail, Amit used an boosted permission to proceeds fifty-fifty more insight into a victim's phone. Android devices include accessibility features such as text-to-speech for the visually dumb. By using this permission, Amit captured everything happening on the victim's screen, regardless of whether the user was viewing an app in the work or personal sectors.

"This app-in-the-middle resides in the personal profile, withal is effective in stealing corporate information as the user interacts with information technology," Amit explained. The privacy limitations of the personal sector mean that the Information technology managers of the corporate sector aren't able to prevent or fifty-fifty be made aware of the attack.

Annotation that in both of these examples, Skycure built fully functional malicious apps. These not only carried out their devious designs, but also worked as advertised to the user.

An Unusual Response

Skycure is no stranger to threat research and has always followed a responsible disclosure policy, where companies are given the chance to patch discovered vulnerabilities before Skycure makes them public. That's not quite what happened this fourth dimension, though.

"After internal evaluation by the Android team, it was decided that the aforementioned behavior is an intended behavior," wrote Amit. "As that behavior poses an unexpected and clear threat to corporate data of organizations that utilize Android for Piece of work, we have mutually agreed to disclose the findings with the public, to raise sensation to the exposure."

Information technology's worth noting that Google has done a remarkable chore securing a platform as large every bit Android. Adrian Ludwig, the individual in accuse of Android security, spoke this week at RSA and outlined how at that place have been vanishingly few successful exploitations used in the wild and none at a significant scale.

Likewise, near security professionals will point out that if yous convince someone to install a malicious app, the bad guys take already won. As seen in the example of the DNC hack, the hardest part of any attack is often just convincing the victim to willingly make themselves vulnerable.

An interesting caveat to this is that Google provides many powerful security features in Android. Safety Internet, for instance, tin observe malicious or suspicious activeness on a device even when the app is installed from outside Google Play. The device used in Amit's testing was unmodified and up to date, yet the malicious activity went unnoticed. Google'due south security features might detect the app in the future, of course.

Speaking to PCMag, Amit was clear that Google and the work features in Android system are not to blame. Rather, a reliance on containers cannot replace good security policies. "The danger lies in the illusion of a secure container, which tends to let people to let their guard down in the belief that the environment itself is a sufficient security mechanism to protect sensitive data," Amit said.

Amit pointed out that savvy IT professionals volition recognize a run a risk in assuasive devices that practice double duty as home and function devices. By the same token, employees using devices that handle personal and corporate information demand to exist made aware of the risks and encouraged to deed responsibly; either by scrutinizing the apps they install on these devices, or by using a third-party security app to augment the built-in safeguards found in Android.