Google had put in additional security measures to make it hard for malware to steal banking information on the Android operating system. But, as we know, cybercriminals are a tenacious bunch and they have found a way to bypass the additional security through Android's accessibility services. Here are the details.
Image: Family O'Abé
Some mobile malware that tries to steal financial details of victims will do so by detecting what applications are running on their devices in the foreground. If the malware detects a banking app running, it'll try to push the legitimate app to the background and bringing up a lookalike screen instead. Victims may not be able to tell the difference and input their financial details into the fake app.
Previously, attackers could use the getRunningTask API on Android Lollipop to find out which apps are running but Google updated the operating system so that was no longer possible on devices running later versions of Android (5.0 and up). This kills a crucial element needed for financial malware such as the infamous Android.Bankosy to steal information.
Now attackers can use Android's accessibility service to find out what app is running on a targeted device. The service include features like text-to-speech and gesture navigation to help those who have a physical, visual or age-related impairment to use their device.
Security vendor Symantec explains how attackers can take advantage of the accessibility service:
"Adware and PUAs (potentially unwanted apps) take advantage of these features by first registering an accessibility service. The apps’ authors do this by adding an intent filter to android.accessibilityservice.AccessibilityService in the manifest. "The adware or PUA authors then configure the accessibility service to handle specific events on the app. For example, the author may set accessibilityEventType to typeAllMask so that the accessibility service can handle all types of accessibility events. Once the accessibility service has been configured, the adware or PUA uses social engineering to trick the user into turning on the accessibility service."
Once that is turned on, an adware or PUA can find out what apps are running and move itself in to the foreground. Symantec predicts that financial malware will be adopting this method soon.
The vendor recommends users to protect themselves by being very careful about where they download apps and only install apps from trusted sources. You should also pay close attention to the permissions that apps request.
[Via Symantec Security Blog]