Tracking side-loaded accessibility services

      Technique summary
    Technique Tracking side-loaded accessibility services
    Against Malicious accessibility services
    Limitations Requires QUERY_ALL_PACKAGES privilege
    Side effects This technique may restrict third-party app stores if they are not included in the installer list
    Recommendations Recommended for use combined with other techniques for older devices

    This technique is an extension of accessibility services allow-listing.

    Yet another criterion for considering applications as suspicious is whether they have enabled accessibility services and they are side-loaded. The implementation is shown in the snippet below:

    private void inspectSideLoadedA11yServices() { AccessibilityManager am =(AccessibilityManager) mContext. getSystemService(Context.ACCESSIBILITY_SERVICE); a11yServiceList = am.getEnabledAccessibilityServiceList(FEEDBACK_ALL_MASK); // (...) for (AccessibilityServiceInfo asi : a11yServiceList) { packageName = asi.getId().split("/")[0]; try { if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) { installer = packageManager. getInstallSourceInfo(packageName). getInstallingPackageName(); } else { installer = packageManager.getInstallerPackageName(packageName); } if (installer == null || !installer.equals("")) { Log.d(TAG, "[!] app '" + packageName + "' has a11y and is side-loaded"); sideLoadedA11yAppList.add(packageName); } } catch(PackageManager.NameNotFoundException e) { } } }



    Table of contents