Android accessibility features include a robust set of toolsallowing developers to create apps for assisting people with disabilities. Unfortunately, this useful set of tools can also be abused and turned into an attack vector, providing malware with the ability to interact and readcontent from third-party apps. In this work, we are the first to study the impact that the stealthy exploitation of Android accessibility services can have on significantly reducing the forensic footprint of malware attacks, thus hindering both liveand post-incident forensic investigations. We show that through Living off the Land (LotL) tactics, or by offering a malware-only substitute for attacks typically requiring more elaborate schemes, accessibility-based malware can be rendered virtually undetectable. In the LotL approach, we demonstrate accessibility-enabled SMS andcommand and control (C2) capabilities. As for the latter, we show acomplete cryptocurrency wallet theft, whereby the accessibility trojancan hijack the entire withdrawal process of a widely used app, including two-factor authentication (2FA). In both cases, we demonstrate how the attacks result in significantly diminished forensic evidence when compared to similar attacks not employing accessibility tools, even to the extent of maintaining device take-over without requiring malware per-sistence.
Authors: Yonas Leguesse; Mark Vella; Christian Colombo; Julio Hernandez-Castro.
Date of Publication: 16 September, 2020.