On malware leveraging the Android accessibility framework

Abstract

The number of Android malware has been increasing dramatically in recent years. Android malware can violate users’ security, privacy and damage their economic situation. Study of new malware will allow us to better understand the threat and design effective antimalware strategies. In this paper, we introduce a new type of malware exploiting Android’s accessibility framework and describe a condition which allows malicious payloads to usurp control of the screen, steal user credentials and compromise user privacy and security. We implement a proof of concept malware to demonstrate such vulnerabilities and present experimental findings on the success rates of this attack. We show that 100% of application launches can be detected using this malware, and 100% of the time a malicious Activity can gain control of the screen. Our major contribution is two-fold. First, we are the first to discover the category of new Android malware manipulating Android’s accessibility framework. Second, our study finds new types of attacks and complements the categorization of Android malware by Zhou and Jiang [21]. This prompts the community to re-think categorization of malware for categorizing existing attacks as well as predicting new attacks.