Exploiting Android accessibility services

Issue 7 2022 Cyber Security

Android and iOS accessibility features are available to help people more easily use their smartphones, and include features such as audio comments, subtitles, custom display and so on. Some mobile applications designed with an inclusive approach are compatible with these accessibility services.

To enable these services in an application, it requires the accessibility permission. But this permission gives applications full access to the user’s device. Today, more cybercriminals are using this option to take control of smartphones and tablets. When this happens, users find themselves in a bind, unable to uninstall the app or even reset their device.

Recently, Pradeo Security neutralised an application using Android accessibility services for malicious purposes on a protected device. The identified malware was installed through a phishing link. It pretends to be a QR code scanning application but actually exploits the accessibility permission to perform fraudulent banking transactions.

The risks of mobile accessibility services

An application can use the BIND_ACCESSIBILITY_SERVICE permission in order to benefit from advanced features facilitating accessibility to users with disabilities. With this permission, an application can control the whole screen (clicks, movements, etc.) as well as the keyboard, read what is displayed, and close or open applications.

These features are sensitive because they enable the control of almost all layers of a device. When a malicious application is granted the accessibility permission, it can send all the information displayed on the screen and typed on the keyboard to a remote server, prevent its own removal or a system reset, and even launch itself automatically when the device is rebooted. Unfortunately, the distribution channels used by hackers, such as unofficial application stores and messaging services (SMS), do not provide any protection against this threat.

Case study: QR-Code Scanner

Name of the analysed app: QR-Code Scanner

Package name: com.square.boss

OS: Android

The ‘QR-Code Scanner’ application appears as a QR code scanning application. Its icon and name are not suspicious. However, when launched, no QR code scanning functionality is offered.

Immediately, the application sends a notification that urges the user to grant the accessibility option, which is necessary for the execution of its attack. As long as the user does not allow it, it continuously sends the same permission request.

Once authorised, the malware can silently approve its own permission requests in place of the user. Thus, it grants itself all the permissions that will allow it to carry out its attack.

In this case, our analysis of the malware suggests that the goal of the hacker behind the application is to commit fraud, by collecting data the user types or displays on their screen (login, password, credit card numbers, etc.) and intercepting temporary authentication codes that get sent.

First, the QR-Code Scanner application accesses the list of applications installed on the victim’s device to gauge interest. When banking or e-commerce applications are used, there is a greater chance that banking data is entered by the user. When it happens, the hacker collects them.

To enter the victim’s account or make a payment with their credit card, the hacker intercepts the one-time password contained in an SMS or a notification. Hence, they bypass all security measures that authenticate payments and connections using a code. Only verification protocols that use biometric data are safe at this point.

Finally, the application uses the victim’s phone to spread to other devices. To do this, it sends an SMS containing a phishing link to the entire contact list. This way, the message comes from a known number and has a better chance of convincing the recipients to install the malware.

Throughout the attack, the malware exploits accessibility services to:

• Spy on user activity.

• Grant and prevent the rejection of the permissions it needs.

• Prevent removal of the application, either from the homepage or from the settings.

• Prevent factory reset, even from a third-party device.

• Prevent sleep or shutdown of its process.

• Launch at startup.

The permissions used by the malware are the following:

• android.permission.QUERY_ALL_PACKAGES

• android.permission.QUICKBOOT_POWERON

• android.permission.RECEIVE_LAUNCH_BROADCASTS

• android.permission.GET_TASKS

• android.permission.SYSTEM_ALERT_WINDOW

• android.permission.RECEIVE_SMS

• android.permission.READ_SMS

• android.permission.WRITE_SMS

• android.permission.SEND_SMS


• android.intent.action.BOOT_COMPLETED

• com.htc.intent.action.


• android.intent.action.


• android.permission.


• android.permission.QUICKBOOT_POWERON

Protective measures

Despite the undeniable need for accessibility services, the advanced rights they offer on the system mean they must be used (on the developer side) and authorised (on the user side) with due consideration. Today, only a few tools and remediation actions are effective at neutralising the malware:

• Blocking the application before launching it.

• Forcing the uninstallation of the application.

• Uninstalling via a device management solution (UEM, MDM).

• Uninstalling via ADB command.

Find out more at www.pradeo.com

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Industrial control systems under attack
News Cyber Security
According to Kaspersky ICS CERT statistics, from January to September 2022, 38% of computers in the industrial control systems (ICS) environment in the META region were attacked using multiple means.

OSINT: A new dimension in cybersecurity
Cyber Security
The ancient Chinese strategist Sun Tzu noted, you should always try to know what the enemy knows and know more than the enemy.

Sasol ensures Zero Trust for SAP financials with bioLock
Technews Publishing Editor's Choice Cyber Security Security Services & Risk Management
Multi-factor authentication, including biometrics, for SAP Financials from realtime North America prevents financial compliance avoidance for Sasol.

Building a holistic application security process
Altron Arrow Cyber Security
Altron Arrow asks what it means to build a holistic AppSec process. Learn what’s involved in a holistic approach and how to get started.

Managing data privacy concerns when moving to the cloud
Cyber Security
While the cloud offers many business benefits, it can also raise concerns around compliance, and some organisations have taken the approach of staying out of the cloud for this reason.

Accelerating your Zero Trust journey in manufacturing
IT infrastructure Cyber Security Industrial (Industry)
Francois van Hirtum, CTO of Obscure Technologies, advises manufacturers on a strategic approach to safeguarding their businesses against cyber breaches.

The democratisation of threats
Cyber Security
Bugcrowd looks at some of the primary vulnerabilities the world faced in 2021, and the risks moving forward with growing attack surfaces and lucrative returns on crime.

Protecting yourself from DDoS attacks
Cyber Security Security Services & Risk Management
A DDoS attack, when an attacker floods a server or network with Internet traffic to prevent users from accessing connected online services, can be costly in both earnings and reputation.

Cyber resilience is more than cybersecurity
Technews Publishing Editor's Choice Cyber Security Integrated Solutions IT infrastructure
Hi-Tech Security Solutions held a round-table discussion focusing on cyber resilience and found that while the resilience discipline includes cybersecurity, it also goes much further.

Keeping devices in check
Cyber Security Asset Management, EAS, RFID IT infrastructure
Kaspersky patents new technology for analysing relationships between electronic devices to counter cyberattacks launched through connected IoT devices.