Exploiting Android accessibility services

Issue 7 2022 Information Security

Android and iOS accessibility features are available to help people more easily use their smartphones, and include features such as audio comments, subtitles, custom display and so on. Some mobile applications designed with an inclusive approach are compatible with these accessibility services.

To enable these services in an application, it requires the accessibility permission. But this permission gives applications full access to the user’s device. Today, more cybercriminals are using this option to take control of smartphones and tablets. When this happens, users find themselves in a bind, unable to uninstall the app or even reset their device.

Recently, Pradeo Security neutralised an application using Android accessibility services for malicious purposes on a protected device. The identified malware was installed through a phishing link. It pretends to be a QR code scanning application but actually exploits the accessibility permission to perform fraudulent banking transactions.

The risks of mobile accessibility services

An application can use the BIND_ACCESSIBILITY_SERVICE permission in order to benefit from advanced features facilitating accessibility to users with disabilities. With this permission, an application can control the whole screen (clicks, movements, etc.) as well as the keyboard, read what is displayed, and close or open applications.

These features are sensitive because they enable the control of almost all layers of a device. When a malicious application is granted the accessibility permission, it can send all the information displayed on the screen and typed on the keyboard to a remote server, prevent its own removal or a system reset, and even launch itself automatically when the device is rebooted. Unfortunately, the distribution channels used by hackers, such as unofficial application stores and messaging services (SMS), do not provide any protection against this threat.

Case study: QR-Code Scanner

Name of the analysed app: QR-Code Scanner

Package name: com.square.boss

OS: Android

The ‘QR-Code Scanner’ application appears as a QR code scanning application. Its icon and name are not suspicious. However, when launched, no QR code scanning functionality is offered.

Immediately, the application sends a notification that urges the user to grant the accessibility option, which is necessary for the execution of its attack. As long as the user does not allow it, it continuously sends the same permission request.

Once authorised, the malware can silently approve its own permission requests in place of the user. Thus, it grants itself all the permissions that will allow it to carry out its attack.

In this case, our analysis of the malware suggests that the goal of the hacker behind the application is to commit fraud, by collecting data the user types or displays on their screen (login, password, credit card numbers, etc.) and intercepting temporary authentication codes that get sent.

First, the QR-Code Scanner application accesses the list of applications installed on the victim’s device to gauge interest. When banking or e-commerce applications are used, there is a greater chance that banking data is entered by the user. When it happens, the hacker collects them.

To enter the victim’s account or make a payment with their credit card, the hacker intercepts the one-time password contained in an SMS or a notification. Hence, they bypass all security measures that authenticate payments and connections using a code. Only verification protocols that use biometric data are safe at this point.

Finally, the application uses the victim’s phone to spread to other devices. To do this, it sends an SMS containing a phishing link to the entire contact list. This way, the message comes from a known number and has a better chance of convincing the recipients to install the malware.

Throughout the attack, the malware exploits accessibility services to:

• Spy on user activity.

• Grant and prevent the rejection of the permissions it needs.

• Prevent removal of the application, either from the homepage or from the settings.

• Prevent factory reset, even from a third-party device.

• Prevent sleep or shutdown of its process.

• Launch at startup.

The permissions used by the malware are the following:

• android.permission.QUERY_ALL_PACKAGES

• android.permission.QUICKBOOT_POWERON

• android.permission.RECEIVE_LAUNCH_BROADCASTS

• android.permission.GET_TASKS

• android.permission.SYSTEM_ALERT_WINDOW

• android.permission.RECEIVE_SMS

• android.permission.READ_SMS

• android.permission.WRITE_SMS

• android.permission.SEND_SMS


• android.intent.action.BOOT_COMPLETED

• com.htc.intent.action.


• android.intent.action.


• android.permission.


• android.permission.QUICKBOOT_POWERON

Protective measures

Despite the undeniable need for accessibility services, the advanced rights they offer on the system mean they must be used (on the developer side) and authorised (on the user side) with due consideration. Today, only a few tools and remediation actions are effective at neutralising the malware:

• Blocking the application before launching it.

• Forcing the uninstallation of the application.

• Uninstalling via a device management solution (UEM, MDM).

• Uninstalling via ADB command.

Find out more at www.pradeo.com

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Kaspersky finds 24 vulnerabilities in biometric access systems
Technews Publishing Information Security
Customers urged to update firmware. Kaspersky has identified numerous flaws in the hybrid biometric terminal produced by international manufacturer ZKTeco, allowing a nefarious actor to bypass the verification process and gain unauthorised access.

Responsible AI boosts software security
Information Security
While the prevalence of high-severity security flaws in applications has dropped slightly in recent years, the risks posed by software vulnerabilities remain high, and remediating these vulnerabilities could hinder new application development.

AI and ransomware: cutting through the hype
AI & Data Analytics Information Security
It might be the great paradox of 2024: artificial intelligence (AI). Everyone is bored of hearing it, but we cannot stop talking about it. It is not going away, so we had better get used to it.

NEC XON shares lessons learned from ransomware attacks
NEC XON Editor's Choice Information Security
NEC XON has handled many ransomware attacks. We've distilled key insights and listed them in this article to better equip companies and individuals for scenarios like this, which many will say are an inevitable reality in today’s environment.

iOCO collaboration protection secures Office 365
Information Security Infrastructure
The cloud, in general, and Office 365, in particular, have played a significant role in enabling collaboration, but it has also created a security headache as organisations store valuable information on the platform.

Cybercriminals embracing AI
Information Security Security Services & Risk Management
Organisations of all sizes are exploring how artificial intelligence (AI) and generative AI, in particular, can benefit their businesses. While they are still figuring out how best to use AI, cybercriminals have fully embraced it.

A strong cybersecurity foundation
Milestone Systems Information Security
The data collected by cameras, connected sensors, and video management software can make a VMS an attractive target for malicious actors; therefore, being aware of the risks of an insecure video surveillance system and how to mitigate these are critical skills.

Surveillance and cybersecurity
Cathexis Technologies Information Security
Whether your business runs a security system with a handful of cameras or it is an enterprise company with thousands of cameras monitoring sites across a multinational organisation, you must pay attention to cybersecurity.

Cyber-armour for a healthcare industry under attack
NEC XON Information Security Healthcare (Industry)
Malicious actors have exploited compromised credentials, a clear and present danger when healthcare providers' reliance on remote access software allows adversaries to disguise themselves as legitimate users and gain unauthorised access to critical environments.

Cybersecurity and AI
AI & Data Analytics Information Security
Cybersecurity is one of the primary reasons that detecting the commonalities and threats of what is otherwise completely unknown is possible with tools such as SIEM and endpoint protection platforms.