Exploiting Android accessibility services

Issue 7 2022 Information Security

Android and iOS accessibility features are available to help people more easily use their smartphones, and include features such as audio comments, subtitles, custom display and so on. Some mobile applications designed with an inclusive approach are compatible with these accessibility services.

To enable these services in an application, it requires the accessibility permission. But this permission gives applications full access to the user’s device. Today, more cybercriminals are using this option to take control of smartphones and tablets. When this happens, users find themselves in a bind, unable to uninstall the app or even reset their device.

Recently, Pradeo Security neutralised an application using Android accessibility services for malicious purposes on a protected device. The identified malware was installed through a phishing link. It pretends to be a QR code scanning application but actually exploits the accessibility permission to perform fraudulent banking transactions.

The risks of mobile accessibility services

An application can use the BIND_ACCESSIBILITY_SERVICE permission in order to benefit from advanced features facilitating accessibility to users with disabilities. With this permission, an application can control the whole screen (clicks, movements, etc.) as well as the keyboard, read what is displayed, and close or open applications.

These features are sensitive because they enable the control of almost all layers of a device. When a malicious application is granted the accessibility permission, it can send all the information displayed on the screen and typed on the keyboard to a remote server, prevent its own removal or a system reset, and even launch itself automatically when the device is rebooted. Unfortunately, the distribution channels used by hackers, such as unofficial application stores and messaging services (SMS), do not provide any protection against this threat.

Case study: QR-Code Scanner

Name of the analysed app: QR-Code Scanner

Package name: com.square.boss

OS: Android

The ‘QR-Code Scanner’ application appears as a QR code scanning application. Its icon and name are not suspicious. However, when launched, no QR code scanning functionality is offered.

Immediately, the application sends a notification that urges the user to grant the accessibility option, which is necessary for the execution of its attack. As long as the user does not allow it, it continuously sends the same permission request.

Once authorised, the malware can silently approve its own permission requests in place of the user. Thus, it grants itself all the permissions that will allow it to carry out its attack.

In this case, our analysis of the malware suggests that the goal of the hacker behind the application is to commit fraud, by collecting data the user types or displays on their screen (login, password, credit card numbers, etc.) and intercepting temporary authentication codes that get sent.

First, the QR-Code Scanner application accesses the list of applications installed on the victim’s device to gauge interest. When banking or e-commerce applications are used, there is a greater chance that banking data is entered by the user. When it happens, the hacker collects them.

To enter the victim’s account or make a payment with their credit card, the hacker intercepts the one-time password contained in an SMS or a notification. Hence, they bypass all security measures that authenticate payments and connections using a code. Only verification protocols that use biometric data are safe at this point.

Finally, the application uses the victim’s phone to spread to other devices. To do this, it sends an SMS containing a phishing link to the entire contact list. This way, the message comes from a known number and has a better chance of convincing the recipients to install the malware.

Throughout the attack, the malware exploits accessibility services to:

• Spy on user activity.

• Grant and prevent the rejection of the permissions it needs.

• Prevent removal of the application, either from the homepage or from the settings.

• Prevent factory reset, even from a third-party device.

• Prevent sleep or shutdown of its process.

• Launch at startup.

The permissions used by the malware are the following:

• android.permission.QUERY_ALL_PACKAGES

• android.permission.QUICKBOOT_POWERON

• android.permission.RECEIVE_LAUNCH_BROADCASTS

• android.permission.GET_TASKS

• android.permission.SYSTEM_ALERT_WINDOW

• android.permission.RECEIVE_SMS

• android.permission.READ_SMS

• android.permission.WRITE_SMS

• android.permission.SEND_SMS

• android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS

• android.intent.action.BOOT_COMPLETED

• com.htc.intent.action.

QUICKBOOT_POWERON

• android.intent.action.

QUICKBOOT_POWERON

• android.permission.

RECEIVE_BOOT_COMPLETED

• android.permission.QUICKBOOT_POWERON

Protective measures

Despite the undeniable need for accessibility services, the advanced rights they offer on the system mean they must be used (on the developer side) and authorised (on the user side) with due consideration. Today, only a few tools and remediation actions are effective at neutralising the malware:

• Blocking the application before launching it.

• Forcing the uninstallation of the application.

• Uninstalling via a device management solution (UEM, MDM).

• Uninstalling via ADB command.

Find out more at www.pradeo.com




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Want effective Attack Surface Management? Think like an attacker.
Information Security
Effective ASM requires companies to think like attackers, anticipate risks, and act decisively to reduce exposure by knowing their environment, deploying a structured approach, leveraging capable tools, and addressing both internal and external risks.

Read more...
The growing role of hybrid backup
Infrastructure Information Security
As Africa’s digital economy rapidly grows, businesses across the continent are facing the challenge of securing data in an environment characterised by evolving cyberthreats, unreliable connectivity and diverse regulatory frameworks.

Read more...
POPIA non-compliance puts municipalities at risk
Information Security Government and Parastatal (Industry)
Digital responsibility must go beyond POPIA compliance to recognising that privacy and service delivery are fundamentally linked. Despite this, only 51 out of 257 municipalities submitted their mandatory data protection and access to information reports in 2024.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...
Most wanted malware
News & Events Information Security
Check Point Software Technologies unveiled its Global Threat Index for June 2025, highlighting a surge in new and evolving threats. Eight African countries are among the most targeted as malware leaders AsyncRAT and FakeUpdates expand.

Read more...
Welcome to the new cyber battleground
Information Security
The Iran-Israel conflict is rapidly redefining modern warfare, pushing the boundaries of cyber capabilities and creating a new, borderless digital battlefield. Fortinet’s CISO, Dr Carl Windsor, offers a critical, in-depth analysis of the escalating tactics and global implications in his latest report.

Read more...
African industries may overestimate cyber defences
Information Security
] A significant perception gap exists in security awareness training: 68% of leaders believe training is tailored to roles, yet only a third of employees feel adequately trained. Many organisations only conduct annual or biannual generic training that may not effectively change behaviour.

Read more...
SMARTpod talks to Sophos and Phishield
SMART Security Solutions Technews Publishing Sophos Videos Information Security News & Events
SMARTpod recently spoke with Pieter Nel, Sales Director for SADC at Sophos, and Sarel Lamprecht, MD at Phishield, about ransomware and their new cyber insurance partnership.

Read more...
Cybersecurity and insurance partnership for sub-Saharan Africa
Sophos News & Events Information Security Security Services & Risk Management
Sophos and Phishield Announce first-of-its-kind cybersecurity and insurance partnership for sub-Saharan Africa. The SMARTpod podcast, discussing the deal and the state of ransomware in South Africa and globally, is now also available.

Read more...
Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.