printer friendly version

Exploiting Android accessibility services

Android and iOS accessibility features are available to help people more easily use their smartphones, and include features such as audio comments, subtitles, custom display and so on. Some mobile applications designed with an inclusive approach are compatible with these accessibility services.

To enable these services in an application, it requires the accessibility permission. But this permission gives applications full access to the user’s device. Today, more cybercriminals are using this option to take control of smartphones and tablets. When this happens, users find themselves in a bind, unable to uninstall the app or even reset their device.

Recently, Pradeo Security neutralised an application using Android accessibility services for malicious purposes on a protected device. The identified malware was installed through a phishing link. It pretends to be a QR code scanning application but actually exploits the accessibility permission to perform fraudulent banking transactions.

The risks of mobile accessibility services

An application can use the BIND_ACCESSIBILITY_SERVICE permission in order to benefit from advanced features facilitating accessibility to users with disabilities. With this permission, an application can control the whole screen (clicks, movements, etc.) as well as the keyboard, read what is displayed, and close or open applications.

These features are sensitive because they enable the control of almost all layers of a device. When a malicious application is granted the accessibility permission, it can send all the information displayed on the screen and typed on the keyboard to a remote server, prevent its own removal or a system reset, and even launch itself automatically when the device is rebooted. Unfortunately, the distribution channels used by hackers, such as unofficial application stores and messaging services (SMS), do not provide any protection against this threat.

Case study: QR-Code Scanner

Name of the analysed app: QR-Code Scanner

Package name: com.square.boss

OS: Android

The ‘QR-Code Scanner’ application appears as a QR code scanning application. Its icon and name are not suspicious. However, when launched, no QR code scanning functionality is offered.

Immediately, the application sends a notification that urges the user to grant the accessibility option, which is necessary for the execution of its attack. As long as the user does not allow it, it continuously sends the same permission request.

Once authorised, the malware can silently approve its own permission requests in place of the user. Thus, it grants itself all the permissions that will allow it to carry out its attack.

In this case, our analysis of the malware suggests that the goal of the hacker behind the application is to commit fraud, by collecting data the user types or displays on their screen (login, password, credit card numbers, etc.) and intercepting temporary authentication codes that get sent.

First, the QR-Code Scanner application accesses the list of applications installed on the victim’s device to gauge interest. When banking or e-commerce applications are used, there is a greater chance that banking data is entered by the user. When it happens, the hacker collects them.

To enter the victim’s account or make a payment with their credit card, the hacker intercepts the one-time password contained in an SMS or a notification. Hence, they bypass all security measures that authenticate payments and connections using a code. Only verification protocols that use biometric data are safe at this point.

Finally, the application uses the victim’s phone to spread to other devices. To do this, it sends an SMS containing a phishing link to the entire contact list. This way, the message comes from a known number and has a better chance of convincing the recipients to install the malware.

Throughout the attack, the malware exploits accessibility services to:

• Spy on user activity.

• Grant and prevent the rejection of the permissions it needs.

• Prevent removal of the application, either from the homepage or from the settings.

• Prevent factory reset, even from a third-party device.

• Prevent sleep or shutdown of its process.

• Launch at startup.

The permissions used by the malware are the following:

• android.permission.QUERY_ALL_PACKAGES

• android.permission.QUICKBOOT_POWERON

• android.permission.RECEIVE_LAUNCH_BROADCASTS

• android.permission.GET_TASKS

• android.permission.SYSTEM_ALERT_WINDOW

• android.permission.RECEIVE_SMS

• android.permission.READ_SMS

• android.permission.WRITE_SMS

• android.permission.SEND_SMS

• android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS

• android.intent.action.BOOT_COMPLETED

• com.htc.intent.action.

QUICKBOOT_POWERON

• android.intent.action.

QUICKBOOT_POWERON

• android.permission.

RECEIVE_BOOT_COMPLETED

• android.permission.QUICKBOOT_POWERON

Protective measures

Despite the undeniable need for accessibility services, the advanced rights they offer on the system mean they must be used (on the developer side) and authorised (on the user side) with due consideration. Today, only a few tools and remediation actions are effective at neutralising the malware:

• Blocking the application before launching it.

• Forcing the uninstallation of the application.

• Uninstalling via a device management solution (UEM, MDM).

• Uninstalling via ADB command.

Find out more at www.pradeo.com

Share this article:

Further reading: