Accessibility Abuse¶
Using Android's accessibility framework to control the device programmatically. An accessibility service can read any screen, click any button, type into any field, and perform any gesture. This gives malware full device control without exploiting any vulnerability: the framework works exactly as designed, just not for its intended purpose.
See also: BIND_ACCESSIBILITY_SERVICE for the permission details, Notification Suppression, Anti-Analysis Techniques, Camera & Mic Surveillance
Requirements
| Requirement | Details |
|---|---|
| Permission | BIND_ACCESSIBILITY_SERVICE (granted via Settings toggle) |
| Social Engineering | Convince user to enable the service |
No exploit needed. The hardest part is getting the user to the Settings toggle and convincing them to enable it. Malware typically uses fake overlay dialogs ("Enable this service to continue", "Battery optimization required", "Accessibility update needed").
Attack Capabilities¶
Keylogging¶
Accessibility services receive TYPE_VIEW_TEXT_CHANGED events containing the text entered in any field across any app.
Keylogging via Accessibility Events
Auto-Granting Permissions¶
The malware navigates the system UI to grant itself additional permissions:
- Open Settings via intent
- Traverse the view tree to find "Allow" or toggle buttons
- Perform
ACTION_CLICKon the target node - Repeat for each permission needed
This effectively escalates from one permission (accessibility) to all permissions.
On-Device Fraud (ATS)¶
Automated Transfer System: the malware operates the real banking app to initiate transfers. Steps:
- Wait for user to log into banking app (or use stolen credentials via overlay)
- Navigate to transfer screen using accessibility gestures
- Fill in attacker-controlled recipient and amount
- Confirm the transaction
- Intercept OTP from notification and enter it
The user's device is locked or shows a fake "updating" screen during the process. The transaction happens through the legitimate banking app, making it harder for bank-side fraud detection to flag.
Anti-Removal¶
The malware prevents its own uninstallation:
- Monitors for navigation to Settings > Apps > [malware]
- When detected, performs
GLOBAL_ACTION_HOMEorGLOBAL_ACTION_BACKto exit Settings - Can also click "Cancel" on uninstall confirmation dialogs
- Some families lock the screen and display a persistent overlay
Notification Interception¶
With flagRetrieveInteractiveWindows, the accessibility service can read notification content from any app, functioning as an alternative to BIND_NOTIFICATION_LISTENER_SERVICE.
Screen Streaming / VNC¶
Some families (Hook, Octo) use accessibility events to build a real-time representation of the screen and stream it to the attacker, creating a VNC-like remote access capability.
Malware Families by Accessibility Capability¶
| Family | Keylog | ATS | Anti-Remove | Screen Stream | Auto-Grant |
|---|---|---|---|---|---|
| Anatsa | Yes | Yes | Yes | No | Yes |
| Cerberus | Yes | No | Yes | No | Yes |
| Hook | Yes | Yes | Yes | Yes (VNC) | Yes |
| Octo | Yes | Yes | Yes | Yes | Yes |
| SharkBot | No | Yes | Yes | No | Yes |
| Xenomorph | Yes | Yes | Yes | No | Yes |
| Medusa | Yes | No | Yes | Yes | Yes |
| Hydra | Yes | No | Yes | Yes | Yes |
Encrypted Messaging Interception¶
A technique introduced by Sturnus in 2025 that exploits a fundamental weakness in encrypted messaging apps: messages must be decrypted for display. The accessibility service reads message content after the messaging app has already decrypted it for the user's screen.
End-to-end encryption provides no protection
This works against WhatsApp, Telegram, Signal, and any app that renders plaintext on the device UI. The malware monitors TYPE_VIEW_TEXT_CHANGED and TYPE_WINDOW_CONTENT_CHANGED events from target messaging packages, capturing message text, sender info, and timestamps. Interception occurs after decryption, at the presentation layer.
Human Behavior Mimicry¶
Herodotus introduced typing delays and natural gesture patterns during ATS operations to evade behavioral biometric systems that banks deploy to detect automated device interaction. Rather than filling form fields instantly (a signal that fraud detection systems flag), the malware types characters with randomized inter-keystroke timing and performs swipe gestures at human-plausible speeds.
Custom Keyboard Keylogging¶
BlankBot and Frogblight implement a custom InputMethodService (IME) that replaces the device keyboard. Once the malware's keyboard is set as default, every keystroke across every app passes through it. Unlike standard accessibility keylogging which captures text change events after the fact, a custom keyboard intercepts each key press directly, capturing passwords, PINs, and messages including characters deleted before submission.
The malware uses accessibility to silently navigate to Settings > Language & Input and switch the default keyboard to its own IME without user awareness. On some Android versions, this can be done entirely through accessibility gestures.
Fake Lockscreen PIN Capture¶
TrickMo and TsarBot display a full-screen overlay that replicates the device's lockscreen. When the device "appears" to lock, the user enters their PIN or pattern into the malware's fake lockscreen rather than the real one. The captured PIN enables the attacker to unlock the device during remote access sessions. This is distinct from banking overlay phishing since it targets the device unlock credential rather than app-specific credentials.
Contact List Injection¶
Crocodilus uses accessibility to add entries to the device's contact list, inserting attacker-controlled phone numbers labeled as "Bank Support" or similar. When the victim later needs to contact their bank, they find the injected contact and call the attacker directly. This extends the accessibility attack surface beyond the device into social engineering.
Social Engineering to Enable¶
Common lures used to get users to the accessibility settings:
| Lure | Approach |
|---|---|
| "Accessibility update required" | Fake system dialog |
| "Battery optimization" | Overlay directing user to enable service |
| "Security scan" | Fake antivirus requiring accessibility |
| "Enable to continue" | App refuses to function until enabled |
| "Google Chrome update" | Impersonates Chrome update process |
Android Mitigations¶
| Version | Change | Impact |
|---|---|---|
| Android 11 | isAccessibilityTool metadata required for visibility |
Only affects apps targeting API 30+ |
| Android 13 | Restricted settings for sideloaded apps | Bypassed by session-based installers |
| Android 13 | Accessibility shortcut warning improved | Users still click through |
| Android 15 | Expanded restricted settings | Closes some session-installer loopholes |
Fundamental Limitation
There is no technical way to distinguish a malicious accessibility service from a legitimate one at install time. The capability is inherent to the API.
Families Using This Technique¶
| Family | Primary Accessibility Abuse |
|---|---|
| Cerberus | Keylogging |
| Anatsa | ATS |
| Hook | Screen streaming |
| Ermac | Overlay trigger |
| SharkBot | ATS |
| Gustuff | ATS |
| Xenomorph | ATS |
| Octo | Screen streaming |
| Hydra | Overlay trigger |
| Medusa | Screen streaming |
| Vultur | Screen streaming |
| GodFather | Overlay trigger |
| Chameleon | Permission escalation |
| Copybara | ATS |
| FluBot | Permission escalation |
| MoqHao | Auto-execution, permission escalation |
| Zanubis | ATS |
| Mamont | Permission escalation |
| SoumniBot | Data theft |
| Crocodilus | Full DTO, contact list injection |
| Herodotus | ATS with human behavior mimicry |
| Sturnus | Encrypted messaging interception |
| RatOn | ATS + NFC relay |
| Klopatra | ATS |
| BingoMod | VNC-based DTO |
| Brokewell | Screen streaming, ATS |
| Albiriox | ATS |
| LeifAccess | Fake Google Play review posting |
| NGate | Permission escalation |
| GoldPickaxe | Facial biometric capture |
| SpyNote | Keylogging, anti-removal |
| Antidot | ATS, keylogging |
| TrickMo | Keylogging, fake lockscreen PIN capture |
| TsarBot | ATS, fake lockscreen PIN capture |
| BlankBot | Custom keyboard keylogging |
| Frogblight | Custom keyboard keylogging |
| ToxicPanda | ATS |
| BTMOB RAT | Credential harvesting, auto-grant |
| Rafel RAT | Anti-removal, notification siphoning |
| Gigabud | Screen recording trigger, automated payments |
| PJobRAT | Data exfiltration |
| BlankBot | Custom keyboard keylogging |
| Frogblight | Custom keyboard keylogging |
| ToxicPanda | ATS |
| Rafel RAT | Keylogging, device control |
| Vultur | Screen streaming |
| DeVixor | Remote access via accessibility |
| FireScam | Notification monitoring |