Protect your customer data and your reputation with our state-of-the-art security
Secure valuable gaming revenue streams & maintain user trust with our Unity integration
Secure your e-commerce revenue & safeguard data by layering mobile app protection
Guardsquare security researcher and pentester, Jan Seredynski, recently discussed how attackers leverage accessibility features and overlays to exploit vulnerabilities in apps. The webinar, “Uncovering the Dark Side of Accessibility Features and Overlays on Android Apps,” began with a brief overview of the two common ways that attackers infect devices via an app:
The focus of the webinar was permissions abuse, specifically accessibility features and overlays, so we’ll examine security concerns surrounding these services.
Accessibility features are tools used by individuals with disabilities that enable them to interact with an app. This could look like an individual with visual impairment using accessibility tools to read the text on their phone’s screen, assist them in filling out forms, and make selections in an app.
Overlay services include permissions that allow one app to draw over another by creating an extra view layer over the host view. This is convenient for helping users interact with multiple apps at the same time. For example, a user may be searching for directions in Google Maps and receive an overlay message from Facebook Messenger. The Facebook Messenger overlay will appear on top of the Google Maps screen. Other overlay service examples can include a countdown or timer app that remains on your phone’s screen regardless of the app activity happening underneath.
Overlays have four general properties. While they have innocuous uses like the examples above, the following four properties can also be used by threat actors:
In the images below, you can see an example of both accessibility features and overlays. While both are considered to be convenient, and in the case of accessibility, vital for those with impairments, they’ve also been the source of global security incidents across industries like the examples below.
When thinking about how threat actors leverage overlays and accessibility features to target user’s sensitive information, it can be helpful to review recent, real-world examples.
These are just a few of the examples of overlay and accessibility services malware in action. In the webinar, Jan demonstrated on his device how quickly accessibilities services could be used to navigate an unauthorized transaction — from start to finish, his example took mere seconds.
If you’re looking to avoid falling prey to overlay and accessibility services malware, it’s best to avoid downloading an untrustworthy app from the Google Play Store or a third-party app source. Reading app reviews carefully, evaluating the app’s developers or providers, and avoiding apps that promise to bypass paywalls or offer free access to premium features are a few ways to avoid shady apps. When targeting victims with these types of apps, threat actors utilize two main approaches: creating a new malicious app or sideloading.
Threat actors create malicious apps with “generic purposes.” An example of this is a simple flashlight or camera lens app. These apps ask for permissions to perform various actions on a device. For a few months, the apps perform as promised with no issues. Users are able to give honest feedback on the app’s performance, which boosts their profiles and encourages more users to download. After some time, threat actors will adjust the app and add malicious code or update permissions to infect the device. Waiting to add malicious code to the app allows threat actors to successfully pass the Google Play Store’s review process.
Sideloading occurs when users looking to access restricted/elevated privileges on an app download an app outside of the Google Play Store. Examples of this include downloading a modified version of the popular language learning app Duolingo to access unlimited courses or a free version of YouTube Premium. Threat actors cleverly disguise permission requests to appear reasonable and necessary for the app to run properly. This could include enabling accessibility services to allow the free version of Youtube Premium to operate in the background or using overlays to remain in use while accessing other apps.
Developers can also help protect against these types of malware with some simple steps to secure apps and devices.
Google released a few useful APIs to help detect and deflect overlay malware attacks:
For additional information on these defense tactics and how to implement them using the APIs mentioned above, check out our blog, “Protecting Against Android Accessibility Services Threats.”
The operating system, developers, and users all share responsibility in securing apps and devices against accessibility and overlay malware attacks. It is the operating system’s (Apple/Google) responsibility to provide a secure API. We see this in Android’s systematic API improvements over the years. The development team must mitigate known risks in their apps. This includes considering how threat actors may seek to modify their apps. Finally, users should be mindful of the type of apps they download, which includes avoiding sideloading apps and shady apps.
Want to learn more about permissions abuse? Access the full webinar here.
Executive Summary (TL;DR)