Tracking device admin accessibility services

      Technique summary
    Technique Tracking decide admin accessibility services
    Against Malicious accessibility services
    Limitations None
    Side effects None
    Recommendations Recommended for use combined with other techniques for older devices

    This technique is an extension of accessibility services allow-listing.

    A common malware workflow pattern is to obtain accessibility service rights, and later also device admin rights. Therefore, a strategy could be to check applications that have both privileges.

    This code can be used to enumerate accessibility services:

    private void inspectA11yServices() { AccessibilityManager am =(AccessibilityManager) mContext. getSystemService(Context.ACCESSIBILITY_SERVICE); a11yServiceList = am.getEnabledAccessibilityServiceList(FEEDBACK_ALL_MASK); }

    The next block of code would enumarate device admin apps:

    private void inspectDeviceAdminApps() { DevicePolicyManager devicePolicyManager = (DevicePolicyManager) mContext. getSystemService(Context.DEVICE_POLICY_SERVICE); List activeDeviceAdminComp = devicePolicyManager.getActiveAdmins(); if (activeDeviceAdminComp != null) { // active device admin apps were found for (ComponentName cn : activeDeviceAdminComp) { deviceAdminAppList.add(cn.getPackageName()); } } }

    And finally, this block of code will check whether there is any app in both lists:

    public boolean getVerdict() { boolean result = false; for (AccessibilityServiceInfo asi : a11yServiceList) { String id = asi.getId(); for (String pn: deviceAdminAppList) { if (id.contains(pn)) { Log.d(TAG, "[!] app '" + pn + "' is suspicious (a11y + device admin)"); suspiciousAppList.add(pn); result = true; } } } return result; }



    Table of contents