This post was inspired by the excellent presentation by Jan Seredynski from THS 2023.
Cybersecurity is not a binary issue – there are no solutions that guarantee 100% security. In reality, it is more about risk assessment and choosing solutions that are less vulnerable to attacks. An example of such an assessment in the context of banking is the fact that confirming transactions through mobile apps is safer than using popular SMS codes, although effective attack methods also exist here. These may include fake apps impersonating banking apps and those exploiting vulnerabilities (e.g., Pegasus). However, one of the more interesting attacks on mobile banking involves installing seemingly innocent apps on the victim’s phone that abuse Android permissions.
The infection scheme often starts with the victim installing an app from an untrusted source. Encouragement comes from information that the version being installed has free unlocked premium features.
Unfortunately, it also happens that apps in the official Google Play store turn out to be malicious. Initially, they do not contain harmful functionalities but gain them in subsequent updates. Cybercriminals create apps with seemingly harmless purposes. For example, a simple flashlight app or a camera tool. Such apps ask for permissions to various functionalities on the device. For several months they act as declared, causing no problems. Users often give them positive reviews, which strengthens the app’s reputation and encourages more users to download it. However, after some time, cybercriminals modify the app by adding malicious code or changing permissions to steal data. This delayed addition of malicious code allows criminals to pass the Google Play store’s verification process successfully.
How do accessibility services and overlays work in the context of malware?
Accessibility Services allow, among other things, reading information displayed on the phone screen aloud and filling out form fields for the user.
A malicious app, using accessibility services designed for people with disabilities, can log everything happening on the screen, gaining access to entered codes. This way, it can learn the password for a mobile app and independently initiate and confirm a transfer. Granting suspicious permissions occurs through another clever trick – screen overlays. The user often isn’t even aware they’re accepting dangerous permissions.
An example of “Overlay Services” is the bubble that appears with a message from messenger.
In the variant shown below, a fake screen overlay covers part of the real screen (hiding it from the user’s view), then asks the victim to enter information (usually confidential such as banking details, PIN codes, or security question answers). The victim thinks they are entering their confidential information in a trusted app, but in reality, they are sending it directly to the attacker.
The target of this type of screen overlay attack is often mobile banking, fintech, e-commerce, gaming, or retail apps. When the attacker knows the transaction confirmation pin, they can use accessibility services to automatically log in to the real banking app, initiate, and confirm a transfer after we open it.
Examples of real past attacks
- BrasDex is a type of malware focused on attacking Android systems, with a particular emphasis on banking apps in Brazil. When it infects a device, BrasDex identifies and attacks only selected apps. It uses Android’s accessibility features to monitor the screen, control touch, handle the keyboard, and perform other malicious actions. The main goal of BrasDex is to steal login data while using banking apps and perform transactions without the user’s knowledge.
- ERMAC 2.0 is a trojan on the Android platform used to steal users’ login credentials and send them to cybercriminals. Thieves use this data to take over victims’ bank and cryptocurrency accounts and to carry out various frauds. A typical example of its operation was a fake app found on a legitimate food delivery site. This fake app requested as many as 43 permissions, including access to accessibility services and overlays, enabling it to steal login credentials.
- Xenomorph is malware still used in attacks, although it debuted over two years ago. Initially, it was distributed through the Google Play store as a performance-enhancing app. Users installing these apps unknowingly infected their devices, believing that performance improvement required such wide permissions. Xenomorph can intercept text messages, enabling it to collect data used to confirm transactions. Additionally, it uses accessibility features to create discreet overlays on the screen.
Tips for developers on defending against malware using accessibility services:
- Block all accessibility services: This option is the least friendly to users with various disabilities, but it is one of the simplest ways to protect against permission abuse.
- Allow only whitelisted services: A more accessible-friendly approach that uses an API to list all Accessibility Services, identify their package IDs, and allow only certain trusted services to run through the app. However, externally installed apps can spoof any package ID, so this defense protects only against threats from the Google Play store.
- Allow services with reasonable permissions: You can use a flag (android:importantForAccessibility), which identifies important UI elements for accessibility. Set it to “false” for all sensitive fields in your app and limit accessibility services that declare interest in reading non-important fields. You can do this by checking the service’s flag property and verifying FLAG_INCLUDE_NOT_IMPORTANT_VIEWS.
- Use biometrics and system dialogs: Requiring and using biometric authentication for important transactions can help prevent cybercriminals from using accessibility features to carry out unauthorized transactions in the user’s app. Requiring transactions to be conducted using system dialogs can effectively block overlays. Newer versions of Android do not allow overlays to operate on system windows.
- Utilize Android API 34: This update ensures that only verified accessibility services can see and access sensitive information in the app.
Recommendations for detecting overlays
Google has introduced several useful APIs to help detect and counteract malware attacks using overlays:
- API 9: When the touch filtering option is enabled (setFilterTouchesWhenObscured(boolean)), the system ignores user touches when the view window is obscured by an overlay. This involves another visible window (or message/toast/dialog) at the touch location.
- API 29: This update allows developers to more accurately detect partially obscured touches using the flag (FLAG_WINDOW_IS_PARTIALLY_OBSCURED), which indicates when a window receives a motion event that is partially or completely obscured by another visible window. It is important to note that the event is flagged if the motion does not pass directly through the overlay.
- API 31: This update provides developers with the setHideOverlayWindows(true) option, which hides and automatically removes non-system overlays. Currently, this is the most effective and efficient approach.
As an average user, it’s important to know that accessibility services do not have access to biometric data and cannot replicate it. Therefore, using biometric methods instead of traditional PINs/passwords is recommended. Logging into apps using fingerprints or facial recognition and confirming transactions with these methods is much safer. Biometrics add an extra layer of security, as it is unique to each user and harder to copy or steal than traditional passwords or PINs. Therefore, especially in the context of financial transactions and access to important apps, using biometric technologies is definitely a better solution.
Update 1: A non-specialist reader pointed out that new variants of trojans have already appeared, which have mechanisms aimed at persuading the victim to use a different authorization method than biometrics. The trojan automatically “clicks” the “cancel” button when it detects biometric authorization and thus forces the user to use alternative methods, whose data it will be able to intercept.
