One the one hand, Android’s Accessibility Service and the ecosystem of legitimate accessibility service apps are a much needed part of the mobile app economy. On the other hand, without protection, accessibility service might remain one of mobile malware’s best friends. In fact, Accessibility Services have become a powerful part of new and sophisticated forms of mobile malware on Android devices. Cyber-criminals now use Android Accessibility Services in blended, highly sophisticated attacks against mobile banking and other transaction based mobile apps. In this blog, I’ll describe what Accessibility Service Malware is and how to defeat it using Appdome’s Anti-Malware feature set.
What is Android Accessibility Service?
Accessibility Service in an OS-level event framework in Android that is designed to support apps and functionality that support people with disabilities. For example, Android Accessibility Services powers amazing and useful functionality such as screen readers, speech-to-text, text magnification, interactions and gestures, field or form input, and more.
What is Accessibility Service Malware?
Over the past few years, malware designed specifically to exploit the Android Accessibility Service event framework have emerged to be a major threat to mobile banking and other transaction based mobile apps. Common exploits include gaining unauthorized access to in app events, stealing PII, transaction and other sensitive information, performing or hijacking transactions, and evading detection. This unique class of mobile malware makes a dizzying array of information, techniques and exploits available to the attackers and fraudsters alike. Not only that, Accessibility Service Malware uses powerful system callbacks and command and control functionality allowing it to adapt and receive new targets and payloads remotely. To get an idea of just how big this problem is, consider that there have been over 16,000 reported instances of accessibility service malware known as FluBot (otherwise known as a banking trojan) in Australia and New Zealand alone. Also consider that FluBot is just one of literally tens of thousands of variants of malware, all of which employ some form of Accessibility Service abuse. Below are just some of the examples of accessibility service malware targeting financial services mobile apps.
Keep reading to learn how Accessibility Service Malware works. More importantly, learn what you can do to detect and defeat Accessibility Service Malware if you’re a mobile developer or cyber security professional.
How Accessibility Service Malware Works
Listening and Modifying Accessibility Events
Using Android Accessibility Services is set at the device level. Once enabled, Accessibility Services is available for all applications on a Android device. And, once enabled, Accessibility Services makes a powerful event framework available to external applications allowing such applications to receive information and perform inputs on behalf of users for key actions in a mobile app, such as knowing when users are on specific screens, tapping a button or entering text into a field. As part of this event framework, the accessibility service can listen and intercept events, activities, and even modify inputs and actions. The actual user does not need to confirm these actions, and, in many if not all cases, may not even be aware that the Accessibility Service Malware is performing actions on its own behalf. Recent well-known examples of accessibility service malware include FluBot, Teabot, PixPirate, Brasdex and Xenomorph. BrasDex and Xenomorph, all of which target mobile banking apps and monitor Accessibility Service events and user activity to harvest transaction, PII and other data.
Input Capture Attack – Overlays and Keylogging
The Accessibility Service Malware can be made aware of the specific user interface that it is harvesting. Meaning, the Accessibility Services Malware can use additional forms of input capture attack to actually harvest transaction, PII and other data from the exploited mobile app. The common techniques here include using overlay attacks, key logging, screen captures and screen recordings. These input capture attacks often fit over the affected area in the app, and either mimic (or remain transparent to) the targeted mobile apps, to be effective and unseen by the user. For example, MysteryBot is an Android banking trojan that uses Accessibility Services with overlay attacks places itself over a targeted app, concealing part of the app screen, and then tricking the user into clicking on a fake button or screen. MysteryBot also includes keylogging functionality that can capture data entered by the user by monitoring the touchscreen and translating the coordinates to determine which characters the user selected.
Injection Attacks – Keystrokes and Auto-Tapping
Injection attacks are a set of techniques that impersonate user interaction with a mobile app such as key actions, form or field inputs, taps and other gestures, all without the user’s knowledge. The attacker or malware initiates actions or populates input into fields usually as part of synthetic fraud. Mobile banking trojans such as SharkBot, BrasDex and Xenomorph use Accessibility Services to auto-populate fields, hide the malicious app, and prevent the device owner from uninstalling and deleting the malicious app. Using Accessibility Services, these malware auto-fill fields in mobile banking and other transaction based mobile app using a malicious payload called ATS (Automatic Transfer System). Once the user launches or logs into the mobile banking app the malware would receive an array of events (clicks/touches, button presses, gestures, etc.). Those events are used to hijack or impersonate the interaction of the victim-user with the mobile banking app to make money transfers, change the destination and/or amount of transactions, etc. This way, the money transfer is made from the device of the victim by simulating different events, which makes it much more difficult for traditional monitoring systems to detect fraud.
MFA/2FA Bypass – Used for Fake Transactions
2FA-bypassing malware is the holy grail of Android Accessibility Service Malware. While there are many variants of this class of attack, the general scenario involves the accessibility malware obtaining the 2FA token from a 2FA app or SMS and then passing the stolen token as a parameter in the transaction process. For example, in a transaction with an intent to launch the 2FA app (e.g., Google Authenticator), the malware reads the text value of the token by finding the text value of the Google Authentication code using the command findAccessibilityNodeInfosByViewId. After obtaining the 2FA token, the malware opens the victim’s app and taps through the transaction process. Once the 2FA entry is prompted, the trojan then passes the stolen value in the appropriate edit text automatically.
Command & Control (C2C) – for Targeting and ATS Payloads
Most Accessibility Service Malware uses a remote command and control (C2C) framework to receive updated ATS payloads including lists of apps to target and tailor made malicious payloads for targeted applications. This allows the attacker to expand the reach of each malware installation to include new applications and modified exploits to keep pace with any app updates to the UX/UI or overcome errors in the execution of a malicious payload.
Protect Mobile Apps from Accessibility Service Malware
Most security professionals will agree that the best defense to any attack is a multi-layered security model. At Appdome, we recommend deploying a multi-layered defense model in Android mobile apps.
First, we recommend adding protections to Android mobile applications that actually Detect Accessibility Malware, which is malware that abuses accessibility services for malicious ends. Appdome is unique in this area as we are the only security vendor that can identify legitimate from malicious accessibility services apps. Second, we recommend defending against the input capture attack methods used by Accessibility Service Malware such as overlay attack prevention (as Anubis, BankBot, Xenomorph, etc. use overlays), keylogger prevention (as Brasdex, SpyNote, Joker, etc. use keyloggers), Auto-Clickers, KeyStroke Injection and even Screen Sharing and Copy/Paste. Third, we recommend adding protections to Android application that stop the creation of ATS payloads designed to exploit the targeted mobile app. For example, we recommend that Android developers consider detecting ADB, Magisk , and Frida, all of which can be used to dynamically test and modify the app or injecting malicious code to change the app’s behavior during runtime. Traditional mobile app protections such as RASP (anti-debugging and anti-tampering) and Code Obfuscation will offer additional protections to this line up but are not adequate as stand-alone protections against Accessibility Service Malware. Classic runtime defenses like Jailbreak & Rooting Detection and MiTM Attack Prevention can also be considered, though some Accessibility Service Malware does not rely on these methods.
Using Cyber Defense Automation to Combat Accessibility Service Malware
Accessibility Service Malware is a rapidly evolving and constantly changing part of the malware ecosystem. Cyber Defense Automation for Mobile Apps offers Android developers and cyber teams a comprehensive, automated system to build, test, release and monitor Accessibility Service Malware defense in Android mobile apps in the DevOps CI/CD pipeline.
Request a demo of Appdome today to learn how to protect any mobile apps against Accessibility Service Malware.Request a Demo