Accessibility Service – An Android Blessing and a Security Challenge in the Same Package

Android's accessibility service is a powerful tool that allows people with disabilities to use mobile devices more easily. It's also a favorite among criminals seeking to take over a device because it holds so much power.

Accessibility is a permission rarely invoked by apps that have nothing to do with providing people with disabilities with useful features. Its power is well-known, and very few official apps will mess with it for fear of attracting the wrath of Google.

On the other hand, malicious apps don't have the same qualms when invoking the Accessibility permission. In fact, many types of malware will try to gain access to this permission as a way to take over control and monitor devices.

When it comes to sideloading or installing third-party apps on devices, there's no doubt that Android is king. But this critical feature also opens up the possibility of installing malware, which will try to gain access to devices and invoke permissions for Accessibility.

Why it's dangerous

The Accessibility service can be used in countless ways to help people, and Google's official advice is that this functionality should only be invoked by the right apps. There used to be a time when users were just presented with a long list of permissions an app needed to function. People would just mindlessly give them away.

In modern Android devices, that's no longer the case. Now, only when an app needs a particular permission will the user grant it explicitly. In fact, the app needs to state why it needs that specific permission. For example, why give a weather app access to SMS or phone calls?

People need to remember that Accessibility services hold a great deal of power. We should be immediately suspicious when an app asks for permissions in this area.

Here's a list of what attackers can do with all that power.

• The accessibility service can see everything shown on the screen and perform input at the user's direction.
• Allowing accessibility permissions can put the device owner at financial and personal risk. Attackers can steal sensitive information, such as banking and other personal information (chats, device PIN, passwords of different accounts, OTP passcodes, contacts, and so much more).
• Malware such as banking trojans can use this service to display transparent overlays that trick users and steal their banking credentials using a fake bank rather than the official app.
• Trojans can be placed on top of banking apps and on top of almost anything, including the Settings app. With Accessibility, banking trojans can read the credentials while the users type them into the actual banking application. In fact, it can go as far as to simulate clicking on the buttons and performing money transfers.
• Together with Device Admin privileges, malware can do anything on the device (i.e. send SMS, forward calls, read storage, and pretty much everything you can imagine).
• To ensure its persistence, the malware can deny the user from uninstalling it using both Accessibility and Device Admin.

Conclusion

Users can stay safe by installing security solutions such as Bitdefender Mobile Security, which can be a proactive measure against these threats. But the power of the Accessibility service makes it mandatory for any user to add it to the list of regular common-sense advice: don't open email attachments from unknown senders, don't click on links from messages that invoke urgencies, and always be suspicious of any app asking Accessibility permissions.