Adversaries may abuse accessibility features in Android devices to steal sensitive data and to spread malware to other devices. Accessibility features in Android are designed to assist users with disabilities, performing a variety of tasks, such as using Action Blocks to control lightbulbs, and changing the device’s user interface, such as changing the font size and adjusting contract or colors.[1]
One example of how adversaries abuse accessibility features is overlaying an HTML object mimicking a legitimate login screen. The user types their credentials in the overlay HTML object, which is then sent to the adversaries.[2]
Another example is a malicious accessibility feature acting as a keylogger. The keylogger monitors changes on the EditText fields and sends it to the adversaries.[2] This method of attack is also described in Keylogging; whereas Abuse Accessibility Features captures the overall abuse of accessibility features.
| ID | Name | Description |
|---|---|---|
| S0422 | Anubis |
After accessibility service is granted, Anubis lures the victim into changing the Accessibility settings on the device, disabling application removal, and executes screen taps and other commands without the victim’s knowledge.[3] |
| S1083 | Chameleon |
After accessibility permissions are granted, Chameleon has used the Accessibility Service to perform a variety of actions, such as switching from biometric authentication to PIN authentication, automatically granting additional permissions, preventing uninstallation, disabling Play Protect.[4][5] |
| S1225 | CherryBlos |
After accessibility permissions are granted, CherryBlos has used the Accessibility Service to monitor when a wallet application launches and to steal credentials.[6] |
| S1067 | FluBot |
FluBot abuses accessibility features in three ways: steal application credentials, evade detection and removal, and send SMS for lateral movement.[2] |
| S1231 | GodFather |
GodFather has abused the accessibility service to prevent the user from uninstalling GodFather, to exfiltrate Google Authenticator one-time passwords and to steal credentials.[7] |
| ID | Mitigation | Description |
|---|---|---|
| M1011 | User Guidance |
First, users should be wary of clicking on suspicious text messages, links and emails. Secondly, users should be wary of granting applications accessibility features. Users may check applications that have been granted accessibility features by going to Settings, then Accessibility. Finally, users should be wary of downloading applications; although applications may be on the Google Play Store, they may not be benign (see Application Versioning). |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0697 | Detection of Abuse Accessibility Features | AN1812 |
Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. |