The sub-techniques beta is now live! Read the release blog post for more info.

Abuse Accessibility Features

****Deprecation Warning****

This technique has been deprecated by Input Capture, Input Injection, and Input Prompt.

A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions.[1]

Adversaries may abuse accessibility features on Android to emulate a user's clicks, for example to steal money from a user's bank account.[2][3]

Adversaries may abuse accessibility features on Android devices to evade defenses by repeatedly clicking the "Back" button when a targeted app manager or mobile security app is launched, or when strings suggesting uninstallation are detected in the foreground. This effectively prevents the malicious application from being uninstalled.[2]

ID: T1453
Tactic Type: Post-Adversary Device Access
Tactic: Collection, Credential Access, Impact, Defense Evasion
Platform: Android
Contributors: Lukas Štefanko, ESET
Version: 2.0
Created: 25 October 2017
Last Modified: 01 October 2019

Mitigations

Mitigation Description
Application Vetting

Enterprises could perform app vetting before allowing apps to be installed on devices and search for abuse of accessibility features as part of the analysis, or otherwise use mobile app reputation services to search for known malicious apps.

Enterprise Policy

An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to whitelist applications that are allowed to use Android's accessibility features.

Use Recent OS Version

Android 7.0 and higher includes additional protections against this technique.

References