Living off Android’s accessible land

Abstract

Android’s accessibility services provide individuals having disabilities, including visual, hearing, physical, and/or speech impairments, with tools to enhance their ability to access and interact with apps. Even though this feature was originally intended exclusively for users with disabilities, this is not always the case. Besides being used to automate processes in apps such as password managers (e.g., Lastpass), malware is also abusing this powerful feature to perform nefarious operations. In this talk, we demonstrate how accessibility can be used to bypass assumed security features. By using a ‘living off the land’ (LOtL) approach, malware is able to use accessibility to piggyback on existing applications to grant it full access to their privileged functionality whilst achieving long-term stealth. This is demonstrated through a number of use cases including an SMS hijack implementation and Whatsapp message theft and exfiltration, all of which are executed using only the accessibility permission. These use cases will form a basis for the development of a pentest tool which will be used to perform a threat analysis on the permissions that can be bypassed through the use of accessibility across different Android versions and configurations.