But click-jacking can be used to do even more damage. The attack basically redirects the user’s input invisibly for another purpose. Such attacks are known to be used in malicious websites that re-use a click to click on advertisements for example. But in the Android operating system re-routing clicks to different system settings can have terrible consequences. Hackers can transform any application in a stealth key logger after secretly gaining accessibility tools rights with the help of click-jacking. By using Android’s accessibility’s framework a malware application can then get Device Administrator access on the device and remotely wipe, lock or even locate the Android device.
What makes things worst is that there is no way of telling whether an application has done something strange and re-routed your clicks else-where. There are no flashes and the user legitimately thinks his gestures are used by the downloaded game or application. Furthermore the only permission needed by an application to perform such an attack is the permission to draw over apps. There is no root access needed. And the required permission is already used by some popular apps in the Play Store. Trusted applications like Facebook use this permission for legitimate purposes. So in theory it would be possible for anyone to make an Android app that seems to be using this permission for the right reasons so that it is accepted in the PlayStore, but actually use it to gain control of the device. Researchers warn us that we might see a rise in the number of applications that use this technique. Thankfully Android 5.0 and 6.0 are not vulnerable since they prevent specific buttons from being hijacked.