On Android and iOS, accessibility features are available to help people use their smartphones: audio comments, subtitles, custom display... Some mobile applications designed with an inclusive approach are compatible with accessibility services.
To enable these services in an application, it requires the accessibility permission. But this permission gives applications full access to the user’s device. Today, more and more cybercriminals are leveraging it to take control of smartphones and tablets. When this happens, users find themselves in a bind, unable to uninstall the app or even reset their device.
Recently, the Pradeo Security solution neutralized an application using Android accessibility services for malicious purposes on a protected device. The identified malware was installed through a phishing link. It pretends to be a QR code scanning application but actually exploits the accessibility permission to perform fraudulent banking transactions.
The risks of mobile accessibility services
An application can use the android.permission.BIND_ACCESSIBILITY_SERVICE permission in order to benefit from advanced features facilitating accessibility to users with disabilities. With this permission, an application can control the whole screen (clicks, moves...) as well as the keyboard, read what is displayed and close or open applications.
These features are sensitive because they enable the control of almost all layers of a device. When a malicious application is granted the accessibility permission, it can send all the information displayed on the screen and typed on the keyboard to a remote server, prevent its own removal or a system reset, and even launch itself automatically when the device is rebooted. Unfortunately, the distribution channels used by hackers such as unofficial application stores and messaging services (SMS) do not provide any protection against this threat.
Case study: QR-Code Scanner
Name of the analyzed app: QR-Code Scanner
Package name: com.square.boss
OS: Android
The "QR-Code Scanner" application appears as a QR code scanning application. Its icon and name are not suspicious. However, when launched, no QR code scanning functionality is offered.
Immediately, the application sends a notification that urges to grant the accessibility option, which is necessary for the execution of its attack. As long as the user does not allow it, it continuously sends the same permission request.
Once authorized, the malware can silently approve its own permission requests in place of the user. Thus, it grants itself all the permissions that will allow it to carry out its attack.
In this case, our analysis of the malware suggests that the goal of the hacker behind the application is to commit fraud, by collecting data that the user types or displays on his screen (login, password, credit card numbers ...) and intercepting the temporary authentication code sent.
First, the QR-Code Scanner application accesses the list of applications installed on the victim's device to gauge interest. When banking or e-commerce applications are used, there is a greater chance that banking data is manipulated by the user. When it happens, the hacker collects them.
To enter the victim's account or make a payment with his credit card, the hacker intercepts the one-time password contained in an SMS or a notification. Hence, he bypasses all security measures that authenticate payments and connections using a code. Only verification protocols that use biometric data are safe at this point.
Finally, the application uses the victim's phone to spread to other devices. To do this, it sends an SMS containing a phishing link to the entire contact list. This way, the message comes from a known number and has a better chance of convincing the recipients to install the malware.
Throughout the attack, the malware exploits accessibility services to:
- Spy on users activity
- Grant and prevent the rejection of the permissions it needs
- Prevent removal of the application, either from the homepage or from the settings
- Prevent factory reset, even from a third-party device
- Prevent sleep or shutdown of its process
- Launch at startup
The permissions used by the malware are the following:
android.permission.QUERY_ALL_PACKAGES
android.permission.QUICKBOOT_POWERON
android.permission.RECEIVE_LAUNCH_BROADCASTS
android.permission.GET_TASKS
android.permission.SYSTEM_ALERT_WINDOW
android.permission.RECEIVE_SMS
android.permission.READ_SMS
android.permission.WRITE_SMS
android.permission.SEND_SMS
android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
android.intent.action.BOOT_COMPLETED
com.htc.intent.action.QUICKBOOT_POWERON
android.intent.action.QUICKBOOT_POWERON
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.QUICKBOOT_POWERON
Protective measures
Despite the undeniable need for accessibility services, the advanced rights they offer on the system mean that they must be used (on the developer side) and authorized (on the user side) with due consideration.
Today, only a few tools and remediation actions are effective to neutralize the analyzed malware:
- Blocking the application before launching it with Pradeo Security
- Forcing the uninstallation of the application with Pradeo Security for Samsung
- Uninstalling via a device management solution (UEM, MDM)
- Uninstalling via ADB command