How is Android Accessibility Service affected by a banking Trojan?

Overlay attacks on Android Accessibility Service

To make Android devices more usable to all users -- including people of different ages, experience levels and abilities, including those users who have visual, auditory, motor or cognitive disabilities -- the Android Accessibility Service provides people with disabilities with digital accessibility so they can better use the interface. The software can, for example, read aloud a two-factor authentication code from a mobile device for the user to enter into a computer.

Google included functionality for accessibility to Android products, and it has been used in many different ways, including by some malware that can exploit it. In response, Google has made some changes to the Android Accessibility Service.

One type of malware that abuses the Android Accessibility Service is MysteryBot.

MysteryBot malware abuses Android Accessibility Service

ThreatFabric wrote about a new Android banking Trojan -- dubbed MysteryBot -- that uses a new technique to get around Android updates with an overlay attack that uses the Accessibility Service functionality.

MysteryBot includes an overlay functionality that can attack a long list of financial institutions and mobile apps. Overlay attacks occur when an app places itself over a targeted app; it is an extension of clickjacking attacks on desktop and laptops. This further demonstrates that once malware is on an endpoint, it will take whatever action is necessary to stay there and achieve its goals.

Enterprises may also want to implement endpoint security monitors, such as endpoint security or mobile device management tools, to give them visibility into endpoints and to potentially block malicious apps.

This Android malware uses the Accessibility Service to trick the user into clicking on an unexpected prompt or by identifying when a sensitive app is in use.

Attacks like this one demonstrate why malware doesn't need to escape sandboxes to completely take over a system and abuse legitimate functionality. MysteryBot uses the most generic Android banking Trojan functionality and includes ransomware functionality that can delete contacts.

MysteryBot also includes keylogging functionality that can capture data entered by the user by monitoring the touchscreen and translating the coordinates to determine which characters the user selected. This makes it easier for the malware to capture keystrokes when a custom keyboard is used, and it doesn't require a third-party module for keystroke logging.

Enterprise defenses

While there may be opportunities for continuous improvement to secure mobile devices, enterprise defenses against malware on mobile devices haven't changed much. However, because their security models are different than traditional endpoints, it's easier to secure mobile devices than traditional endpoints.

Users should keep their mobile devices updated with security improvements and patches as Google continues to make improvements to the Android Accessibility Service to minimize abuse.

Enterprises may also want to implement endpoint security monitors, such as endpoint security or mobile device management tools, to give them visibility into endpoints and to potentially block malicious apps. These tools can also help end users make decisions when an app is requesting high-risk permissions, such as those related to the Accessibility Service or Device Administrator.

Once malware is on an endpoint, it will do anything to achieve its goal -- especially when it is financially motivated malware. While a layered defense could minimize the impact of an attack and enable users to detect malware, it may still be able to abuse legitimate functionality.

The tradeoff of functionality that can be abused, such as the accessibility tool, may require periodic re-evaluation and updates to minimize the chance of the functionality being abused. This is similar to how Google mitigated the new Android malware.