Preventing accessibility service malware
Android’s Accessibility Service, as well as a litany of similar programs, includes features designed to help disabled users utilize devices and apps.
These programs typically run in the background, and they receive system callbacks that allow them to react to accessibility action requests. Some of the most common examples include screen readers, speech-to-text and touch events. In the Philippines, where users prefer apps that provide seamless transactions and interactions, according to an Appdome report, accessibility services are essential to supporting the mobile app market.
However, although the Accessibility Service places the customer first, it has also been exploited by cybercriminals to deliver advanced forms of mobile malware. In fact, in neighboring Singapore, authorities recently warned of fake SMS texts directing victims to download an anti-scam app supposedly created by the national police. Once installed, mobile users would be prompted to allow the app access to the Accessibility Service, which could expose the infected device to remote takeovers and credential theft.
Attackers have found ways to exploit the Accessibility Service to gain unauthorized access to in-app events, steal sensitive information, hijack transactions and avoid detection. With the help of system callbacks and command and control functionality, they can effectively target more app makers with updated attack payloads. Numerous variants of malware that involve abuse of the Accessibility Service in some form or another include FluBot, BrasDex, Xenomorph, SOVA, SpyNote, Joker, Octo and BianLian.
The nuts and bolts
Accessibility services are enabled at the OS level, and they operate by translating user inputs and gestures into actions, speech and text by communicating system callbacks to the app. However, attackers can monitor, intercept and hijack these callbacks to perform various actions without the user’s knowledge or consent. For example, Accessibility Service Malware can gain access to a banking app’s transaction records and personal details by capturing users’ interactions.
Screen overlay and keylogging are two of the most…
