How Android Accessibility Services Can Be Used to Hack Your Phone

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Advertisement

The Android Accessibility Service is a key part of helping the elderly and disabled use their smartphones. However, it also opens up the door for malware developers to create sneaky malware ruins people’s day.

Let’s explore the Android Accessibility Service, and how it can be used for malicious intent.

What Is the Android Accessibility Service?

The Android Accessibility Suite allows apps to take control of the phone to perform special tasks. The main goal is to aid people with disabilities to use their phone.

For example, if the developer is concerned that people with bad vision couldn’t read some text, they can use the service to read the text out to the user.

The service can also perform actions for the user and overlay content over other apps. These are all intended to help people use their phones and allow users with a wide range of different disabilities to use their devices.

Note that this is different from the Android Accessibility Suite. While the Accessibility Service is for developers who want to enhance their apps, the Android Accessibility Suite is used for providing apps to help the disabled.

How Can the Android Accessibility Service Be Misused?

Unfortunately, giving developers more control over a phone always has malicious potential. For example, the same feature that reads text out to the user can also scan the text and send it to the developer.

Controlling user actions and displaying overlay content are both key elements for a clickjacking Clickjacking: What Is It, and How Can You Avoid It? Clickjacking: What Is It, and How Can You Avoid It? Clickjacking is difficult to detect and potentially devastating. Here's what you need to know about clickjacking, including what it is, where you'll see it, and how to protect yourself against it. Read More attack. Malware can use this service to click buttons for itself, such as granting itself administration privileges. It can also overlay content over the screen and trick the user into clicking on it.

Examples of Malicious Use of the Android Accessibility Service

We could talk about the potential of malware using the Android Accessibility Service, but what better way to learn than using real-world examples? Android’s malware history has plenty of attacks that use the Android Accessibility Service for its own gain, so let’s explore some of the heavy hitters.

Cloak and Dagger

Cloak and Dagger was one of the scarier examples of this kind of malware. It combined the Accessibility Service with an overlay drawing service to read everything on a user’s phone.

The main headache with fighting Cloak and Dagger was in its execution. It used legitimate Android services to carry out the attack, which allowed it to sneak past antiviruses and detection. It also made it easy for the developers to upload infected apps to the Google Play store, as the security check wouldn’t pick up on it.

Anubis

Anubis is a banking Trojan that operates by stealing banking credentials from users and sending them back to the developer. Banking Trojans are one of the popular methods hackers use to break into bank accounts 5 Methods Hackers Use to Break Into Your Bank Account 5 Methods Hackers Use to Break Into Your Bank Account The risk to your bank account from hackers is real. Here are the ways hackers can gain access to your savings and clear you out. Read More .

Anubis utilized the Accessibility Services to read what people were typing. Banking Trojans typically get the financial details by showing a fake overlay that looks like the banking app. This fools the user into entering their details into the fake bank overlay instead of the official app.

Anubis skipped this step by reading what is entered on the keyboard. Even if the user took the care to enter their details into the real banking app, Anubis would still get their details.

Ginp

Let’s explore something a little more recent. Ginp is an Android Trojan that takes inspiration from Anubis. While it contained code from Anubis, the program wasn’t a modded version of the source malware. The developer built it from scratch, then later stole code from Anubis to perform specific functions.

Ginp would pretend to be Adobe Flash Player, then ask the user if they wanted to install it. It would then ask for several permissions, including Accessibility Services.

If the user granted the fake Flash Player permission, Ginp would then use the service to grant itself administration privileges. With these privileges, it could then set itself as the phone’s default phone and SMS app. From here, it could harvest SMS messages, send messages of its own, glean the contacts list, and forward calls.

To make things worse, Ginp also took a page from Anubis’ book and moved into bank scams. It uses the Accessibility Services to overlay a bank login page over the official app’s page, which then harvests the user’s login details and credit card information.

What Is Google Doing to Defend Users?

When the Accessibility Service fell into the hands of malware developers, Google tried to stop misuse. Back in 2017, they sent an email to developers stating that any apps that don’t use the service for aiding the disabled will have their app immediately deleted.

Unfortunately, this hadn’t put a stop to people uploading infected apps. In fact, due to its nature of using official services, it’s quite hard to notice accessibility misuse.

Apps on third-party stores don’t fare well, either. Google scans the Google Play service for hacking apps and deletes anything it finds. Third-party stores, however, don’t have this luxury. This means that apps on third-party stores can misuse Accessibility Services as much as they like without detection.

How to Avoid Android Accessibility Services Malware

When you install an app on Android, you sometimes see a list of permissions the app wants to use. There are obvious red flags to spot for, such as a note-taking app asking for full control over your SMS messages.

When an app asks for access to the accessibility services, however, it doesn’t seem too suspicious. After all, what if the app has additional features to help the disabled? It’s a permission that users feel safe saying yes to, which can cause problems if the app has malicious intent.

As such, be careful with accessibility service permissions. If a viral and highly-rated app asks for them, it’s safe to assume it’s to help the disabled. However, if a relatively new app with minimal reviews asks for them out of the blue, it may be best to exercise caution and not go ahead with the install.

Also, use the official app store as often as possible. While accessibility attacks are hard to spot, Google will delete any apps that are caught red-handed. Third-party stores, however, may let these apps linger on their store as it infects more and more users.

Keeping Your Phone Safe From Permission Abuse

It may seem innocent enough to give an app access to disability services, but the results can be anything but. Malicious apps can use Android’s Accessibility Services to monitor what you’re typing, display overlays to fool people, and even grant themselves higher access.

If you want to learn more about malware permission abuse, check the smartphone app permissions you need to check today 5 Smartphone App Permissions You Need to Check Today 5 Smartphone App Permissions You Need to Check Today Android and iOS permissions can be abused in various ways. Don't let your phone leak data to advertisers. Here's how to take control of app permissions. Read More .

Explore more about: Accessibility, Clickjacking, Google Play, Smartphone Security.

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Mayank setia
    January 3, 2020 at 9:20 am

    Nice article! Thanks for sharing this.

  2. Lynley McWhorter
    February 24, 2018 at 2:39 am

    Please change your website so that it clears the commentor’s name & email when you upload the comment.

  3. Lynley McWhorter
    February 24, 2018 at 2:37 am

    The hacking of my devices began on my iPhone. I searched for your exact article title because I’m starting a web next week, focusing on safety online, app & software reviews, privacy invaders, etc. My “cyber stalker” used my accessibility settings to lock me out of my iDevices. I wasn’t even aware of these settings before. I didn’t have my iPhone and iPad connected (security wise) when it first started. I never used my iPad, then found “he” locked me out of it. Actually, I caught him in the middle of the night doing work that looked like app development. By 8:00 am, he was using switches, scanning, and all kinds of accessibility voodoo to lock me out. I saw fake Apple websites, all kinds of things before that.

    It started on dec. 18th, I haven’t heard from him in a month now. I have two ideas of who, or where the harassment originated. After that, he would hop on my Linux laptop, then found my android. I’ve cleaned and reloaded all devices twice. Finally gave up.

    Anyway, that’s the very beginning of a horrendous and torturous two months of my life began.

    • Jason Hetrick
      May 12, 2019 at 11:26 pm

      This is all happening to me now. How can I stop it? Please help me.