On Malware Leveraging the Android Accessibility Framework

Abstract

interface (API) methods to provide customized accessibility services in their own applications. However, the accessibility service has access to critical sensitive information, including information about applications that are currently running and account information. Attackers could utilize such a vulnerability to conduct various types of attacks. To prove the concept, we develop a malicious application which exploits this vulnerability. The installation, activation, and the payload of our malicious application are described as follows. First, to install our malicious application onto user devices, our malicious application may appear as a legitimate accessibility service application and provide some accessibility functionality. The installation of our malicious application requests the BIND_ACCESSIBILITY_SERVICE permission. Of course, other permissions are required if the malicious payload requires such permissions. The malicious application is triggered once an AccessibilityEvent object is dispatched. There are twenty-two AccessibilityEvent types, and each type of AccessibilityEvent exposes