Request pricing
En
    Request pricing

    Login

      Tracking side-loaded accessibility services

        Technique summary
      Technique Tracking side-loaded accessibility services
      Against Malicious accessibility services
      Limitations Requires QUERY_ALL_PACKAGES privilege
      Side effects This technique may restrict third-party app stores if they are not included in the installer list
      Recommendations Recommended for use combined with other techniques for older devices

      This technique is an extension of accessibility services allow-listing.

      Yet another criterion for considering applications as suspicious is whether they have enabled accessibility services and they are side-loaded. The implementation is shown in the snippet below:

      private void inspectSideLoadedA11yServices() { AccessibilityManager am =(AccessibilityManager) mContext. getSystemService(Context.ACCESSIBILITY_SERVICE); a11yServiceList = am.getEnabledAccessibilityServiceList(FEEDBACK_ALL_MASK); // (...) for (AccessibilityServiceInfo asi : a11yServiceList) { packageName = asi.getId().split("/")[0]; try { if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) { installer = packageManager. getInstallSourceInfo(packageName). getInstallingPackageName(); } else { installer = packageManager.getInstallerPackageName(packageName); } if (installer == null || !installer.equals("com.android.vending")) { Log.d(TAG, "[!] app '" + packageName + "' has a11y and is side-loaded"); sideLoadedA11yAppList.add(packageName); } } catch(PackageManager.NameNotFoundException e) { } } }

       

      Guardsquare

      Table of contents