Exploiting Android accessibility services

Issue 7 2022 Information Security

Android and iOS accessibility features are available to help people more easily use their smartphones, and include features such as audio comments, subtitles, custom display and so on. Some mobile applications designed with an inclusive approach are compatible with these accessibility services.

To enable these services in an application, it requires the accessibility permission. But this permission gives applications full access to the user’s device. Today, more cybercriminals are using this option to take control of smartphones and tablets. When this happens, users find themselves in a bind, unable to uninstall the app or even reset their device.

Recently, Pradeo Security neutralised an application using Android accessibility services for malicious purposes on a protected device. The identified malware was installed through a phishing link. It pretends to be a QR code scanning application but actually exploits the accessibility permission to perform fraudulent banking transactions.

The risks of mobile accessibility services

An application can use the BIND_ACCESSIBILITY_SERVICE permission in order to benefit from advanced features facilitating accessibility to users with disabilities. With this permission, an application can control the whole screen (clicks, movements, etc.) as well as the keyboard, read what is displayed, and close or open applications.

These features are sensitive because they enable the control of almost all layers of a device. When a malicious application is granted the accessibility permission, it can send all the information displayed on the screen and typed on the keyboard to a remote server, prevent its own removal or a system reset, and even launch itself automatically when the device is rebooted. Unfortunately, the distribution channels used by hackers, such as unofficial application stores and messaging services (SMS), do not provide any protection against this threat.

Case study: QR-Code Scanner

Name of the analysed app: QR-Code Scanner

Package name: com.square.boss

OS: Android

The ‘QR-Code Scanner’ application appears as a QR code scanning application. Its icon and name are not suspicious. However, when launched, no QR code scanning functionality is offered.

Immediately, the application sends a notification that urges the user to grant the accessibility option, which is necessary for the execution of its attack. As long as the user does not allow it, it continuously sends the same permission request.

Once authorised, the malware can silently approve its own permission requests in place of the user. Thus, it grants itself all the permissions that will allow it to carry out its attack.

In this case, our analysis of the malware suggests that the goal of the hacker behind the application is to commit fraud, by collecting data the user types or displays on their screen (login, password, credit card numbers, etc.) and intercepting temporary authentication codes that get sent.

First, the QR-Code Scanner application accesses the list of applications installed on the victim’s device to gauge interest. When banking or e-commerce applications are used, there is a greater chance that banking data is entered by the user. When it happens, the hacker collects them.

To enter the victim’s account or make a payment with their credit card, the hacker intercepts the one-time password contained in an SMS or a notification. Hence, they bypass all security measures that authenticate payments and connections using a code. Only verification protocols that use biometric data are safe at this point.

Finally, the application uses the victim’s phone to spread to other devices. To do this, it sends an SMS containing a phishing link to the entire contact list. This way, the message comes from a known number and has a better chance of convincing the recipients to install the malware.

Throughout the attack, the malware exploits accessibility services to:

• Spy on user activity.

• Grant and prevent the rejection of the permissions it needs.

• Prevent removal of the application, either from the homepage or from the settings.

• Prevent factory reset, even from a third-party device.

• Prevent sleep or shutdown of its process.

• Launch at startup.

The permissions used by the malware are the following:

• android.permission.QUERY_ALL_PACKAGES

• android.permission.QUICKBOOT_POWERON

• android.permission.RECEIVE_LAUNCH_BROADCASTS

• android.permission.GET_TASKS

• android.permission.SYSTEM_ALERT_WINDOW

• android.permission.RECEIVE_SMS

• android.permission.READ_SMS

• android.permission.WRITE_SMS

• android.permission.SEND_SMS

• android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS

• android.intent.action.BOOT_COMPLETED

• com.htc.intent.action.

QUICKBOOT_POWERON

• android.intent.action.

QUICKBOOT_POWERON

• android.permission.

RECEIVE_BOOT_COMPLETED

• android.permission.QUICKBOOT_POWERON

Protective measures

Despite the undeniable need for accessibility services, the advanced rights they offer on the system mean they must be used (on the developer side) and authorised (on the user side) with due consideration. Today, only a few tools and remediation actions are effective at neutralising the malware:

• Blocking the application before launching it.

• Forcing the uninstallation of the application.

• Uninstalling via a device management solution (UEM, MDM).

• Uninstalling via ADB command.

Find out more at www.pradeo.com




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...
SMARTpod talks to Sophos and Phishield
SMART Security Solutions Technews Publishing Sophos Videos Information Security News & Events
SMARTpod recently spoke with Pieter Nel, Sales Director for SADC at Sophos, and Sarel Lamprecht, MD at Phishield, about ransomware and their new cyber insurance partnership.

Read more...
Cybersecurity and insurance partnership for sub-Saharan Africa
Sophos News & Events Information Security Security Services & Risk Management
Sophos and Phishield Announce first-of-its-kind cybersecurity and insurance partnership for sub-Saharan Africa. The SMARTpod podcast, discussing the deal and the state of ransomware in South Africa and globally, is now also available.

Read more...
Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Corporate and academic teams can register for Kaspersky contest
Kaspersky News & Events Information Security
Kaspersky has announced the registration opening for its new Kaspersky{CTF} (Capture the Flag) competition, inviting academic and corporate teams from around the globe to compete in a battle of skill, strategy and innovation.

Read more...
MDR: What you’re really paying for
Information Security
When businesses invest in managed detection and response (MDR), they’re buying more than a product, they’re securing access to an entire ecosystem of human expertise, global threat intelligence, and 24x7 incident response.

Read more...
Continuous security optimisation.
News & Events Information Security
Cymulate has announced its partnership with SentinelOne, a threat exposure validation and AI-powered cybersecurity platform. The collaboration delivers self-healing endpoint security that empowers businesses to increase protection for every endpoint on their network.

Read more...
Protect your smart home devices
Kaspersky IoT & Automation Information Security Smart Home Automation
Voice assistants, kitchen robots, smart lights and many other intelligent devices have become part of our everyday life. However, with the rise of smart technology comes the need for robust protection against potential vulnerabilities.

Read more...
ISPA’s take-down process protects from local scams
News & Events Information Security
During the recent school holidays, parents could rest a little easier knowing that ISPA, SA’s official internet industry representative body, is removing an average of three to four problematic websites from the local internet every week.

Read more...
NEC XON disrupts sophisticated cyberattack
Information Security
NEC XON recently showcased its advanced cyberthreat detection and response capabilities by successfully thwarting a human-operated ransomware attack targeting a major service provider.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.