The first piece of analysis was released in January 2021 by ThreatFabric. First “in-the-wild” samples of FluBot were detected by CSIS in December 2020. The FluBot malware demonstrates how Accessibility features are commonly abused. FluBot in action: Lure users through Smishing Google Play services should by default scan all Accessibility-requesting apps independent of whether they were installed through Google Play. Users should be asked to authenticate twice to acknowledge a clear warning message highlighting the potential dangers of giving Accessibility privileges to a newly installed app. Given that only a minority of Android users actually use Accessibility features, the authors believe that the barrier of initially activating the far-reaching access should be significantly higher than simply giving an app permission to use them. Therefore, Accessibility features can be considered the current Achilles' heel of Android. Yet, since Google can only control the apps in their app store, this did not fix the general problem as fraudsters now lure victims into installing apps from other sources. Google partly mitigated these issues in 2017 by attempting to ban all apps from the Play Store that misused Accessibility services and by limiting the use of this Android API for developers. Every time the user inputs or deletes a character, the result is sent to the hacker's server, enabling them to capture the user credentials. In the second method, the malicious Accessibility service takes the role of a keylogger by tracking the changes on the EditText fields where the user can input their login credentials. When the user tries to log in, their login credentials are sent to the hacker’s server. The first method is that the malicious Accessibility service puts an HTML overlay resembling the actual login screen on the targeted app when it is launched. When a user enables Accessibility for a malicious app, the security framework can be bypassed in two ways to steal data from other apps: Even if a malicious app is installed, Android prevents third-party access to protected app resources. This isolation intends to prevent apps from interacting with other apps unless they have exposed services such as intents and content providers. ![]() This permission is given only once per app, usually right after the installation of the helper app (or malware app).Īccessibility features can help malware to circumvent Android’s security framework that makes use of a kernel-level application sandbox to isolate application resources. ![]() These all happen to also be features that Android malware can abuse to steal data.Įach “helper app” must be given specific permission to use Accessibility service. These services require broad access to the system itself, the stored data (including e.g., contacts, photos, and passwords), the ability to read the screen, create overlays, and to perform actions on behalf of the user. Android Accessibility features can be grouped in four categories: screen readers, display configurations like magnification and Select to Speak, interaction controls like the Accessibility Menu, and audio & on-screen text transcription. For example, Android can read text aloud and prescribe voice into text, lowering the barrier of mobile phone usage for visually impaired users. Android Accessibility features: A blessing and a curseĪccessibility features are tools included with Android that ease access to mobile phone services for people with disabilities. The analysis is based on FluBot as observed “in the wild” in Germany in July 2021. The post focuses on FluBot, a banking Trojan active since December 2020. ![]() This article explains how Accessibility features are abused by Android malware to steal sensitive data and spread to other phones. Many banking Trojans have in common their (ab)use of Accessibility service to control the infected device. The rise in Android banking Trojans is driven by several catalysts: a general professionalization of malware distribution services, and the leaked source codes of Anubis and Cerberus. We face a pandemic of Android malware abusing AccessibilityĢ021 was a truly pandemic year, not only in terms of COVID-19 but also for Android banking malware. Right now, there are no known Android-level countermeasures that would preserve the usability of Accessibility features while at the same time preventing their abuse.Awareness for this issue seems to be limited: Only few apps implement safeguards. ![]() Therefore, the majority of the active banking Trojans exploit this weak spot Accessibility features enable malware to bypass Android’s permission system that is supposed to prevent malware from stealing credentials.
0 Comments
Leave a Reply. |