The progress made with voice recognition and speech generation technology in the last few years is making it possible to interact with our phones through speech efficiently. In situations where it is not advisable to touch the screen - like when you are driving - the accessibility technology enables us to control the phone safely. Accessibility is no longer just for the visually impaired.

The downside to all of this is that the same accessibility mechanisms can be used by malware as well. Usually, apps on your phone are protected from each other using sandboxing (you can read more on that topic here, where we dive into virtualisation and sandboxes); yet, with accessibility, it is possible for an app that is masquerading as an accessibility service to both see the content of another app, and to perform input actions to that app. That means that the normal wall between the apps can be broken, even if the malware does not have root access to the device.

An excellent example of how malware can use accessibility is the Gustuff malware, which has been for sale on “the dark web” since 2018. The malware spreads by SMS, sent by infected devices to contacts in the address book of the victim. Once installed, a unique feature - ATS (Automatic Transfer System) - is enabled. ATS auto-fills fields in legitimate mobile banking apps, cryptocurrency wallets and other apps when the user opens them. It can even change fields in banking apps based on instructions from a command and control server, or harvest banking credentials when entered by the user. And, of course, if SMS messages are used, the malware can read the messages instead of showing them to the user.

In this youtube video, you can see how this appears to the end-user. 

Of course, the designers of the operating systems are well aware of the dangers of accessibility, so users are required to allow such access rights manually. But, sadly a large number of users don’t read any systems prompts, and gladly install software from alternative sources, even software that they’ve received a link to in a text message. As a software provider, it is very hard to protect against these types of attacks. We can, of course, make it very hard to exploit accessibility towards our SDK. Still, if the user is tricked into entering their credentials into a totally different application, it is not so much we can do.

It should be noted that it is not possible to create an accessibility service on iOS, as Apple is in full control of that platform. That means in practice that it is harder for malware to exploit accessibility on iOS. When it comes to how you can protect your Android device there are a few essential rules to follow: Do not install software from other sources than the Google Play Store, and make sure that your device is up to date. You should also regularly check what is installed on your device, to make sure that there is no suspicious software suddenly showing up. If you think your device has been infected the only recourse might be to back up any files, then do a factory reset.