Accessibility Abuse¶
Using Android's accessibility framework to control the device programmatically. An accessibility service can read any screen, click any button, type into any field, and perform any gesture. This gives malware full device control without exploiting any vulnerability: the framework works exactly as designed, just not for its intended purpose.
See also: BIND_ACCESSIBILITY_SERVICE for the permission details, Notification Suppression, Anti-Analysis Techniques, Camera & Mic Surveillance
MITRE ATT&CK
| ID | Technique | Tactic |
|---|---|---|
| T1453 | Abuse Accessibility Features | Collection, Credential Access |
| T1516 | Input Injection | Defense Evasion, Impact |
Requirements
| Requirement | Details |
|---|---|
| Permission | BIND_ACCESSIBILITY_SERVICE (granted via Settings toggle) |
| Social Engineering | Convince user to enable the service |
No exploit needed. The hardest part is getting the user to the Settings toggle and convincing them to enable it. Malware typically uses fake overlay dialogs ("Enable this service to continue", "Battery optimization required", "Accessibility update needed").
Attack Capabilities¶
Keylogging¶
Accessibility services receive TYPE_VIEW_TEXT_CHANGED events containing the text entered in any field across any app.
Keylogging via Accessibility Events
Auto-Granting Permissions¶
The malware navigates the system UI to grant itself additional permissions:
- Open Settings via intent
- Traverse the view tree to find "Allow" or toggle buttons
- Perform
ACTION_CLICKon the target node - Repeat for each permission needed
This effectively escalates from one permission (accessibility) to all permissions.
On-Device Fraud (ATS)¶
Automated Transfer System (T1516): the malware operates the real banking app to initiate transfers. MITRE ATT&CK has no standalone technique for ATS; it is a compound behavior combining T1453 (accessibility abuse) and T1516 (input injection). Steps:
- Wait for user to log into banking app (or use stolen credentials via overlay)
- Navigate to transfer screen using accessibility gestures
- Fill in attacker-controlled recipient and amount
- Confirm the transaction
- Intercept OTP from notification and enter it
The user's device is locked or shows a fake "updating" screen during the process. The transaction happens through the legitimate banking app, making it harder for bank-side fraud detection to flag.
Anti-Removal¶
The malware prevents its own uninstallation:
- Monitors for navigation to Settings > Apps > [malware]
- When detected, performs
GLOBAL_ACTION_HOMEorGLOBAL_ACTION_BACKto exit Settings - Can also click "Cancel" on uninstall confirmation dialogs
- Some families lock the screen and display a persistent overlay
Notification Interception¶
With flagRetrieveInteractiveWindows, the accessibility service can read notification content from any app, functioning as an alternative to BIND_NOTIFICATION_LISTENER_SERVICE.
Screen Streaming / VNC¶
Some families (Hook, Octo) use accessibility events to build a real-time representation of the screen and stream it to the attacker, creating a VNC-like remote access capability. See Screen Capture for the full breakdown of MediaProjection vs. accessibility-based approaches.
Malware Families by Accessibility Capability¶
| Family | Keylog | ATS | Anti-Remove | Screen Stream | Auto-Grant |
|---|---|---|---|---|---|
| Anatsa | Yes | Yes | Yes | No | Yes |
| Cerberus | Yes | No | Yes | No | Yes |
| Hook | Yes | Yes | Yes | Yes (VNC) | Yes |
| Octo | Yes | Yes | Yes | Yes | Yes |
| SharkBot | No | Yes | Yes | No | Yes |
| Xenomorph | Yes | Yes | Yes | No | Yes |
| Medusa | Yes | No | Yes | Yes | Yes |
| Hydra | Yes | No | Yes | Yes | Yes |
Crypto Wallet Draining¶
Accessibility-based crypto wallet drainers robotically operate the victim's wallet app to transfer funds to the attacker. The accessibility service config declares packageNames targeting specific wallet apps (MetaMask, imToken, Trust Wallet, TokenPocket) with typeAllMask events, canRetrieveWindowContent=true, and canPerformGestures=true.
The attack operates as a state machine where each state corresponds to a screen in the wallet app:
- Detect UI language (Chinese/English/Vietnamese) by searching for known UI strings
- Read USDT balance from accessibility nodes, verify > 0
- Check gas balance is sufficient for the transfer (e.g., >= 0.0035 ETH)
- Navigate to USDT token transfer screen
- Inject attacker's wallet address into the recipient field via
ACTION_ARGUMENT_SET_TEXT(action code 2097152) - Input the full token balance as the transfer amount
- Click through Next, Confirm, and Send buttons via
performAction(ACTION_CLICK)
Each wallet app requires its own operator implementation because the UI layouts differ. The operator classes handle wallet-specific navigation, button labels, and node hierarchies.
A variant targets mnemonic/seed phrase theft: the malware navigates to the seed phrase backup screen, walks the UI node tree looking for a parent container with 12+ children (the word grid), reads each word, builds a JSON payload, and exfiltrates it to a C2 endpoint.
These drainers are distributed as utility apps (calling helpers, phone cleaners) to trick users into enabling the accessibility service. A custom URI scheme (e.g., usdt://) is commonly used as a callback mechanism between the main app process and the accessibility service process.
Encrypted Messaging Interception¶
A technique introduced by Sturnus in 2025 that exploits a fundamental weakness in encrypted messaging apps: messages must be decrypted for display. The accessibility service reads message content after the messaging app has already decrypted it for the user's screen.
End-to-end encryption provides no protection
This works against WhatsApp, Telegram, Signal, and any app that renders plaintext on the device UI. The malware monitors TYPE_VIEW_TEXT_CHANGED and TYPE_WINDOW_CONTENT_CHANGED events from target messaging packages, capturing message text, sender info, and timestamps. Interception occurs after decryption, at the presentation layer.
Human Behavior Mimicry¶
Herodotus introduced typing delays and natural gesture patterns during ATS operations to evade behavioral biometric systems that banks deploy to detect automated device interaction. Rather than filling form fields instantly (a signal that fraud detection systems flag), the malware types characters with randomized inter-keystroke timing and performs swipe gestures at human-plausible speeds.
Custom Keyboard Keylogging¶
BlankBot and Frogblight implement a custom InputMethodService (IME) that replaces the device keyboard. Once the malware's keyboard is set as default, every keystroke across every app passes through it. Unlike standard accessibility keylogging which captures text change events after the fact, a custom keyboard intercepts each key press directly, capturing passwords, PINs, and messages including characters deleted before submission.
The malware uses accessibility to silently navigate to Settings > Language & Input and switch the default keyboard to its own IME without user awareness. On some Android versions, this can be done entirely through accessibility gestures.
Fake Lockscreen PIN Capture¶
TrickMo and TsarBot display a full-screen overlay that replicates the device's lockscreen. When the device "appears" to lock, the user enters their PIN or pattern into the malware's fake lockscreen rather than the real one. The captured PIN enables the attacker to unlock the device during remote access sessions. This is distinct from banking overlay phishing since it targets the device unlock credential rather than app-specific credentials.
Contact List Injection¶
Crocodilus uses accessibility to add entries to the device's contact list, inserting attacker-controlled phone numbers labeled as "Bank Support" or similar. When the victim later needs to contact their bank, they find the injected contact and call the attacker directly. This extends the accessibility attack surface beyond the device into social engineering.
Social Engineering to Enable¶
Common lures used to get users to the accessibility settings:
| Lure | Approach |
|---|---|
| "Accessibility update required" | Fake system dialog |
| "Battery optimization" | Overlay directing user to enable service |
| "Security scan" | Fake antivirus requiring accessibility |
| "Enable to continue" | App refuses to function until enabled |
| "Google Chrome update" | Impersonates Chrome update process |
Platform Lifecycle¶
| Android Version | API | Change | Offensive Impact |
|---|---|---|---|
| 1.6 | 4 | Accessibility framework introduced | Basic screen reading only |
| 4.0 | 14 | canRetrieveWindowContent added |
Full screen content extraction |
| 4.1 | 16 | TYPE_WINDOW_STATE_CHANGED events |
Real-time foreground app detection for overlay triggering |
| 4.3 | 18 | flagRetrieveInteractiveWindows |
Cross-window content access including notifications |
| 7.0 | 24 | dispatchGesture() API |
Programmatic gestures enable ATS |
| 7.0 | 24 | GLOBAL_ACTION_LOCK_SCREEN |
Lock device during fraud operations |
| 8.0 | 26 | Must declare handled event types in config XML | Malware declares all types |
| 11 | 30 | isAccessibilityTool metadata required for Play Store visibility |
Only affects apps targeting API 30+; sideloaded malware unaffected |
| 12 | 31 | Password field text redaction in AccessibilityNodeInfo |
Partial, depends on app implementation |
| 13 | 33 | Restricted settings for sideloaded apps | Bypassed by session-based installers |
| 13 | 33 | Accessibility shortcut warning improved | Users still click through warnings |
| 14 | 34 | accessibilityDataSensitive attribute |
Apps can hide sensitive views from non-tool services; adoption is slow |
| 15 | 35 | Expanded restricted settings enforcement | Closes some session-installer loopholes |
Fundamental Limitation
There is no technical way to distinguish a malicious accessibility service from a legitimate one at install time. The capability is inherent to the API. API 24's dispatchGesture() was the inflection point: it turned accessibility from a passive observation tool into a full device automation framework that enables automated on-device fraud.
Families Using This Technique¶
| Family | Primary Accessibility Abuse |
|---|---|
| Cerberus | Keylogging |
| Anatsa | ATS |
| Hook | Screen streaming |
| Ermac | Overlay trigger |
| SharkBot | ATS |
| Gustuff | ATS |
| Xenomorph | ATS |
| Octo | Screen streaming |
| Hydra | Overlay trigger |
| Medusa | Screen streaming |
| Vultur | Screen streaming |
| GodFather | Overlay trigger |
| Chameleon | Permission escalation |
| Copybara | ATS |
| FluBot | Permission escalation |
| MoqHao | Auto-execution, permission escalation |
| Zanubis | ATS |
| Mamont | Permission escalation |
| SoumniBot | Data theft |
| Crocodilus | Full DTO, contact list injection |
| Herodotus | ATS with human behavior mimicry |
| Sturnus | Encrypted messaging interception |
| RatOn | ATS + NFC relay |
| Klopatra | ATS |
| BingoMod | VNC-based DTO |
| Brokewell | Screen streaming, ATS |
| Albiriox | ATS |
| LeifAccess | Fake Google Play review posting |
| NGate | Permission escalation |
| GoldPickaxe | Facial biometric capture |
| SpyNote | Keylogging, anti-removal |
| Antidot | ATS, keylogging |
| TrickMo | Keylogging, fake lockscreen PIN capture |
| TsarBot | ATS, fake lockscreen PIN capture |
| BlankBot | Custom keyboard keylogging |
| Frogblight | Custom keyboard keylogging |
| ToxicPanda | ATS |
| BTMOB RAT | Credential harvesting, auto-grant |
| Rafel RAT | Anti-removal, notification siphoning |
| Gigabud | Screen recording trigger, automated payments |
| PJobRAT | Data exfiltration |
| DeVixor | Remote access via accessibility |
| FireScam | Notification monitoring |