Adversaries may abuse accessibility features in Android devices to steal sensitive data and to spread malware to other devices. Accessibility features in Android are designed to assist users with disabilities, performing a variety of tasks, such as using Action Blocks to control lightbulbs, and changing the device’s user interface, such as changing the font size and adjusting contract or colors.[1]
One example of how adversaries abuse accessibility features is overlaying an HTML object mimicking a legitimate login screen. The user types their credentials in the overlay HTML object, which is then sent to the adversaries.[2]
Another example is a malicious accessibility feature acting as a keylogger. The keylogger monitors changes on the EditText fields and sends it to the adversaries.[2] This method of attack is also described in Keylogging; whereas Abuse Accessibility Features captures the overall abuse of accessibility features.
| ID | Name | Description |
|---|---|---|
| S0422 | Anubis |
After accessibility service is granted, Anubis lures the victim into changing the Accessibility settings on the device, disabling application removal, and executes screen taps and other commands without the victim’s knowledge.[3] |
| S1083 | Chameleon |
After accessibility permissions are granted, Chameleon has used the Accessibility Service to perform a variety of actions, such as switching from biometric authentication to PIN authentication, automatically granting additional permissions, preventing uninstallation, disabling Play Protect.[4][5] |
| S1225 | CherryBlos |
After accessibility permissions are granted, CherryBlos has used the Accessibility Service to monitor when a wallet application launches and to steal credentials.[6] |
| S9004 | Crocodilus |
Crocodilus has requested for Accessibility Service to be enabled. Upon approval, Crocodilus has connected to the C2 server to receive instructions, has continuously monitored Accessibility events, and has captured elements, such as wallet keys, displayed on the device screen.[7] |
| S9005 | DocSwap |
Once accessibility permissions are granted, DocSwap has abused the Accessibility Service to execute a keylogging capability.[8][9] |
| S1067 | FluBot |
FluBot abuses accessibility features in three ways: steal application credentials, evade detection and removal, and send SMS for lateral movement.[2] |
| S1231 | GodFather |
GodFather has abused the accessibility service to prevent the user from uninstalling GodFather, to exfiltrate Google Authenticator one-time passwords and to steal credentials.[10] |
| S9006 | VajraSpy |
VajraSpy has exploited accessibility features to intercept and exfiltrate communication from WhatsApp, WhatsApp Business and Signal and to automatically enable necessary permissions on the user’s behalf.[11] |
| ID | Mitigation | Description |
|---|---|---|
| M1011 | User Guidance |
First, users should be wary of clicking on suspicious text messages, links and emails. Secondly, users should be wary of granting applications accessibility features. Users may check applications that have been granted accessibility features by going to Settings, then Accessibility. Finally, users should be wary of downloading applications; although applications may be on the Google Play Store, they may not be benign (see Application Versioning). |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0697 | Detection of Abuse Accessibility Features | AN1812 |
A defender correlates an application being granted accessibility service control with subsequent consumption of high-volume accessibility events, interaction with sensitive UI elements or text-entry fields, optional overlay/window presentation over other applications, and near-term local buffering or outbound network transmission, indicating abuse of accessibility features for input capture, credential theft, or automated interaction. |