Request pricing
En
    Request pricing

    Login

      Tracking device admin accessibility services

        Technique summary
      Technique Tracking decide admin accessibility services
      Against Malicious accessibility services
      Limitations None
      Side effects None
      Recommendations Recommended for use combined with other techniques for older devices

      This technique is an extension of accessibility services allow-listing.

      A common malware workflow pattern is to obtain accessibility service rights, and later also device admin rights. Therefore, a strategy could be to check applications that have both privileges.

      This code can be used to enumerate accessibility services:

      private void inspectA11yServices() { AccessibilityManager am =(AccessibilityManager) mContext. getSystemService(Context.ACCESSIBILITY_SERVICE); a11yServiceList = am.getEnabledAccessibilityServiceList(FEEDBACK_ALL_MASK); }

      The next block of code would enumarate device admin apps:

      private void inspectDeviceAdminApps() { DevicePolicyManager devicePolicyManager = (DevicePolicyManager) mContext. getSystemService(Context.DEVICE_POLICY_SERVICE); List activeDeviceAdminComp = devicePolicyManager.getActiveAdmins(); if (activeDeviceAdminComp != null) { // active device admin apps were found for (ComponentName cn : activeDeviceAdminComp) { deviceAdminAppList.add(cn.getPackageName()); } } }

      And finally, this block of code will check whether there is any app in both lists:

      public boolean getVerdict() { boolean result = false; for (AccessibilityServiceInfo asi : a11yServiceList) { String id = asi.getId(); for (String pn: deviceAdminAppList) { if (id.contains(pn)) { Log.d(TAG, "[!] app '" + pn + "' is suspicious (a11y + device admin)"); suspiciousAppList.add(pn); result = true; } } } return result; }

       

      Guardsquare

      Table of contents