The Android Accessibility Service is an important feature that assists older individuals and people with disabilities in using their smartphones. However, it can also be exploited by malicious software developers to create harmful malware that causes problems for users.
Now, let’s delve into the Android Accessibility Service and examine how it can be utilized with malicious intentions.
What Is the Android Accessibility Service?
The Android Accessibility Suite enables apps to take control of the phone and perform special tasks. Its main purpose is to assist individuals with disabilities in using their phones.
For instance, if a developer is concerned that people with poor eyesight may struggle to read certain text, they can utilize the service to have the text read out loud to the user.
The service can also perform actions on behalf of the user and display content on top of other apps. All these features are designed to aid people in using their phones and cater to a wide range of disabilities.
It’s important to note that the Android Accessibility Suite is separate from the Accessibility Service.
While the Accessibility Service is used by developers to enhance their apps, the Android Accessibility Suite provides a collection of apps specifically designed to assist individuals with disabilities.
Can Android Accessibility Service Be Used For Hacking?
Unfortunately, when developers have more control over a phone, there is always a risk of malicious actions.
For instance, the feature that reads text aloud to the user can also be misused to scan the text and send it to the developer without the user’s knowledge.
Controlling user actions and displaying overlay content can be used for clickjacking attacks.
Malware can take advantage of this service to automatically click buttons on its own, like granting itself administrative powers.
It can also overlay content on the screen and deceive the user into clicking on it, leading to unintended consequences.
Examples of Malicious Use of Accessibility Services on Android?
Cloak and Dagger
One of the scarier examples of this type of malware is Cloak and Dagger. It utilized the Accessibility Service and overlay drawing service to read all the information on a user’s phone.
The biggest challenge in combating Cloak and Dagger was its method of operation. It exploited genuine Android services to launch the attack, making it difficult to detect by antivirus software.
Additionally, this approach made it convenient for the developers to upload infected apps to the Google Play store without being caught during security checks.
Let’s talk about a more recent example. Ginp is an Android Trojan that was inspired by Anubis.
Although it included some code from Anubis, it was not a modified version of the original malware.
The developer created Ginp from scratch but later borrowed code from Anubis to perform specific functions.
Ginp would pretend to be Adobe Flash Player and ask the user if they wanted to install it. When granted permission, including Accessibility Services, Ginp would use this service to gain administrative privileges.
With these privileges, it could become the default phone and SMS app on the device.
This allowed Ginp to access and collect SMS messages, send messages on its own, retrieve the contacts list, and forward calls.
To make matters worse, Ginp also adopted a tactic used by Anubis in bank scams. It utilized the Accessibility Services to overlay a fraudulent bank login page on top of the legitimate app’s page.
This allowed Ginp to capture the user’s login details and credit card information.
Anubis, an active banking Trojan, operates by stealing users’ banking credentials and sending them to the developer. Banking Trojans are a popular method used by hackers to gain unauthorized access to bank accounts.
Anubis used Accessibility Services to monitor and capture user keystrokes. Typically, banking Trojans trick users by displaying a fake overlay that resembles a banking app, leading users to enter their details into the fake overlay instead of the genuine app.
However, Anubis bypassed this step by directly reading the keystrokes entered on the keyboard.
Even if the user took precautions and entered their details into the legitimate banking app, Anubis was still able to obtain their information.
Tips to Avoid Android Accessibility Services Malware
When you install an app on Android, you may come across a list of permissions that the app requests to use. Some permissions raise obvious concerns, like a note-taking app asking for full control over your SMS messages.
However, when an app requests access to accessibility services, it may not seem suspicious. After all, it could be offering additional features to assist people with disabilities.
This permission is something users often feel comfortable granting, but it can pose problems if the app has malicious intentions.
Therefore, it’s important to be cautious when granting accessibility service permissions. If a popular and highly-rated app asks for these permissions, it’s likely for legitimate disability support.
However, if a relatively new app with few reviews suddenly asks for such permissions, it’s advisable to exercise caution and refrain from installing it.
Moreover, it is recommended to use the official app store whenever possible. While it may be difficult to detect accessibility attacks, Google actively removes apps caught engaging in such activities.
On the other hand, third-party app stores may allow these apps to remain available, potentially infecting more users.