[Droid Knowledge & Tips #14] How Android Accessibility Services Can Be Used to Hack Your Phone
The Android Accessibility Service is a key part of helping the elderly and disabled use their smartphones. However, it also opens up the door for malware developers to create sneaky malware ruins people’s day.
Let’s explore the Android Accessibility Service, and how it can be used for malicious intent.
The Android Accessibility Suite allows apps to take control of the phone to perform special tasks. The main goal is to aid people with disabilities to use their phone.
For example, if the developer is concerned that people with bad vision couldn’t read some text, they can use the service to read the text out to the user.
The service can also perform actions for the user and overlay content over other apps. These are all intended to help people use their phones and allow users with a wide range of different disabilities to use their devices.
Note that this is different from the Android Accessibility Suite. While the Accessibility Service is for developers who want to enhance their apps, the Android Accessibility Suite is used for providing apps to help the disabled.
How Can the Android Accessibility Service Be Misused?
Unfortunately, giving developers more control over a phone always has malicious potential. For example, the same feature that reads text out to the user can also scan the text and send it to the developer.
Controlling user actions and displaying overlay content are both key elements for a clickjacking attack. Malware can use this service to click buttons for itself, such as granting itself administration privileges. It can also overlay content over the screen and trick the user into clicking on it.
Examples of Malicious Use of the Android Accessibility Service
We could talk about the potential of malware using the Android Accessibility Service, but what better way to learn than using real-world examples? Android’s malware history has plenty of attacks that use the Android Accessibility Service for its own gain, so let’s explore some of the heavy hitters.
Cloak and Dagger
Cloak and Dagger was one of the scarier examples of this kind of malware. It combined the Accessibility Service with an overlay drawing service to read everything on a user’s phone.
The main headache with fighting Cloak and Dagger was in its execution. It used legitimate Android services to carry out the attack, which allowed it to sneak past antiviruses and detection. It also made it easy for the developers to upload infected apps to the Google Play store, as the security check wouldn’t pick up on it.
Anubis
Anubis is a banking Trojan that operates by stealing banking credentials from users and sending them back to the developer. Banking Trojans are one of the popular methods hackers use to break into bank accounts.
Anubis utilized the Accessibility Services to read what people were typing. Banking Trojans typically get the financial details by showing a fake overlay that looks like the banking app. This fools the user into entering their details into the fake bank overlay instead of the official app.
Anubis skipped this step by reading what is entered on the keyboard. Even if the user took the care to enter their details into the real banking app, Anubis would still get their details.
Ginp
Let’s explore something a little more recent. Ginp is an Android Trojan that takes inspiration from Anubis. While it contained code from Anubis, the program wasn’t a modded version of the source malware. The developer built it from scratch, then later stole code from Anubis to perform specific functions.
Ginp would pretend to be Adobe Flash Player, then ask the user if they wanted to install it. It would then ask for several permissions, including Accessibility Services.
If the user granted the fake Flash Player permission, Ginp would then use the service to grant itself administration privileges. With these privileges, it could then set itself as the phone’s default phone and SMS app. From here, it could harvest SMS messages, send messages of its own, glean the contacts list, and forward calls.
To make things worse, Ginp also took a page from Anubis’ book and moved into bank scams. It uses the Accessibility Services to overlay a bank login page over the official app’s page, which then harvests the user’s login details and credit card information.
What Is Google Doing to Defend Users?
When the Accessibility Service fell into the hands of malware developers, Google tried to stop misuse. Back in 2017, they sent an email to developers stating that any apps that don’t use the service for aiding the disabled will have their app immediately deleted.
Unfortunately, this hadn’t put a stop to people uploading infected apps. In fact, due to its nature of using official services, it’s quite hard to notice accessibility misuse.
Apps on third-party stores don’t fare well, either. Google scans the Google Play service for hacking apps and deletes anything it finds. Third-party stores, however, don’t have this luxury. This means that apps on third-party stores can misuse Accessibility Services as much as they like without detection.
How to Avoid Android Accessibility Services Malware
When you install an app on Android, you sometimes see a list of permissions the app wants to use. There are obvious red flags to spot for, such as a note-taking app asking for full control over your SMS messages.
When an app asks for access to the accessibility services, however, it doesn’t seem too suspicious. After all, what if the app has additional features to help the disabled? It’s a permission that users feel safe saying yes to, which can cause problems if the app has malicious intent.
As such, be careful with accessibility service permissions. If a viral and highly-rated app asks for them, it’s safe to assume it’s to help the disabled. However, if a relatively new app with minimal reviews asks for them out of the blue, it may be best to exercise caution and not go ahead with the install.
Also, use the official app store as often as possible. While accessibility attacks are hard to spot, Google will delete any apps that are caught red-handed. Third-party stores, however, may let these apps linger on their store as it infects more and more users.
Sum Up
It may seem innocent enough to give an app access to disability services, but the results can be anything but. Malicious apps can use Android’s Accessibility Services to monitor what you’re typing, display overlays to fool people, and even grant themselves higher access.
The Android Accessibility Service is a key part of helping the elderly and disabled use their smartphones. However, it also opens up the door for malware developers to create sneaky malware ruins people’s day.
Let’s explore the Android Accessibility Service, and how it can be used for malicious intent.
The Android Accessibility Suite allows apps to take control of the phone to perform special tasks. The main goal is to aid people with disabilities to use their phone.
For example, if the developer is concerned that people with bad vision couldn’t read some text, they can use the service to read the text out to the user.
The service can also perform actions for the user and overlay content over other apps. These are all intended to help people use their phones and allow users with a wide range of different disabilities to use their devices.
Note that this is different from the Android Accessibility Suite. While the Accessibility Service is for developers who want to enhance their apps, the Android Accessibility Suite is used for providing apps to help the disabled.
How Can the Android Accessibility Service Be Misused?
Unfortunately, giving developers more control over a phone always has malicious potential. For example, the same feature that reads text out to the user can also scan the text and send it to the developer.
Controlling user actions and displaying overlay content are both key elements for a clickjacking attack. Malware can use this service to click buttons for itself, such as granting itself administration privileges. It can also overlay content over the screen and trick the user into clicking on it.
Examples of Malicious Use of the Android Accessibility Service
We could talk about the potential of malware using the Android Accessibility Service, but what better way to learn than using real-world examples? Android’s malware history has plenty of attacks that use the Android Accessibility Service for its own gain, so let’s explore some of the heavy hitters.
Cloak and Dagger
Cloak and Dagger was one of the scarier examples of this kind of malware. It combined the Accessibility Service with an overlay drawing service to read everything on a user’s phone.
The main headache with fighting Cloak and Dagger was in its execution. It used legitimate Android services to carry out the attack, which allowed it to sneak past antiviruses and detection. It also made it easy for the developers to upload infected apps to the Google Play store, as the security check wouldn’t pick up on it.
Anubis
Anubis is a banking Trojan that operates by stealing banking credentials from users and sending them back to the developer. Banking Trojans are one of the popular methods hackers use to break into bank accounts.
Anubis utilized the Accessibility Services to read what people were typing. Banking Trojans typically get the financial details by showing a fake overlay that looks like the banking app. This fools the user into entering their details into the fake bank overlay instead of the official app.
Anubis skipped this step by reading what is entered on the keyboard. Even if the user took the care to enter their details into the real banking app, Anubis would still get their details.
Ginp
Let’s explore something a little more recent. Ginp is an Android Trojan that takes inspiration from Anubis. While it contained code from Anubis, the program wasn’t a modded version of the source malware. The developer built it from scratch, then later stole code from Anubis to perform specific functions.
Ginp would pretend to be Adobe Flash Player, then ask the user if they wanted to install it. It would then ask for several permissions, including Accessibility Services.
If the user granted the fake Flash Player permission, Ginp would then use the service to grant itself administration privileges. With these privileges, it could then set itself as the phone’s default phone and SMS app. From here, it could harvest SMS messages, send messages of its own, glean the contacts list, and forward calls.
To make things worse, Ginp also took a page from Anubis’ book and moved into bank scams. It uses the Accessibility Services to overlay a bank login page over the official app’s page, which then harvests the user’s login details and credit card information.
What Is Google Doing to Defend Users?
When the Accessibility Service fell into the hands of malware developers, Google tried to stop misuse. Back in 2017, they sent an email to developers stating that any apps that don’t use the service for aiding the disabled will have their app immediately deleted.
Unfortunately, this hadn’t put a stop to people uploading infected apps. In fact, due to its nature of using official services, it’s quite hard to notice accessibility misuse.
Apps on third-party stores don’t fare well, either. Google scans the Google Play service for hacking apps and deletes anything it finds. Third-party stores, however, don’t have this luxury. This means that apps on third-party stores can misuse Accessibility Services as much as they like without detection.
How to Avoid Android Accessibility Services Malware
When you install an app on Android, you sometimes see a list of permissions the app wants to use. There are obvious red flags to spot for, such as a note-taking app asking for full control over your SMS messages.
When an app asks for access to the accessibility services, however, it doesn’t seem too suspicious. After all, what if the app has additional features to help the disabled? It’s a permission that users feel safe saying yes to, which can cause problems if the app has malicious intent.
As such, be careful with accessibility service permissions. If a viral and highly-rated app asks for them, it’s safe to assume it’s to help the disabled. However, if a relatively new app with minimal reviews asks for them out of the blue, it may be best to exercise caution and not go ahead with the install.
Also, use the official app store as often as possible. While accessibility attacks are hard to spot, Google will delete any apps that are caught red-handed. Third-party stores, however, may let these apps linger on their store as it infects more and more users.
Sum Up
It may seem innocent enough to give an app access to disability services, but the results can be anything but. Malicious apps can use Android’s Accessibility Services to monitor what you’re typing, display overlays to fool people, and even grant themselves higher access.