Special Permissions¶
Permissions outside the standard dangerous permission model that are heavily abused in malware. These require special user actions to grant (settings toggles, installer prompts) rather than runtime dialogs.
Permissions¶
| Permission | Abuse Potential | Malware Usage |
|---|---|---|
| SYSTEM_ALERT_WINDOW | Draw over other apps, enabling overlay attacks, credential phishing, tapjacking | Most banking trojans |
| WRITE_SETTINGS | Modify system settings, change default apps, disable security features | Rare in modern malware |
| REQUEST_INSTALL_PACKAGES | Install APKs, sideload malware, dropper functionality | Droppers, multi-stage families |
| REQUEST_DELETE_PACKAGES | Uninstall apps, remove security software | Anti-AV behavior |
| MANAGE_EXTERNAL_STORAGE | Full filesystem access, bypass scoped storage restrictions | Spyware, ransomware |
| BIND_ACCESSIBILITY_SERVICE | Full UI interaction: keylogging, auto-granting permissions, device takeover | Nearly all modern families |
| BIND_NOTIFICATION_LISTENER_SERVICE | Read all notifications, intercept OTPs, exfiltrate messages | Alien, Mamont, FireScam |
| BIND_DEVICE_ADMIN | Device administration: lock device, wipe data, enforce policies | BRATA, Rafel RAT, BingoMod |
| PACKAGE_USAGE_STATS | App usage data, track user behavior, identify active apps for overlay timing | Overlay-based families |
| USE_FULL_SCREEN_INTENT | Launch activities over lock screen, phishing on locked devices | TrickMo, TsarBot |
Granting Mechanism¶
Unlike dangerous permissions that show a simple dialog, special permissions require the user to navigate to Android Settings:
| Permission | How It's Granted | How Malware Obtains It |
|---|---|---|
SYSTEM_ALERT_WINDOW |
Settings > Apps > Special access > Display over other apps | Social engineering prompt, or auto-granted for Play Store installs (pre-Android 10) |
BIND_ACCESSIBILITY_SERVICE |
Settings > Accessibility > [App Name] | Persistent fake prompts claiming the app needs "accessibility" for security |
BIND_DEVICE_ADMIN |
Settings > Security > Device admin apps | Often combined with ransomware lock to prevent removal |
REQUEST_INSTALL_PACKAGES |
Settings > Apps > Special access > Install unknown apps | Requested as part of "update" flow |
BIND_NOTIFICATION_LISTENER_SERVICE |
Settings > Apps > Special access > Notification access | Presented as needed for "message security" |
On Android 13+, Restricted Settings blocks sideloaded apps from directly requesting accessibility and notification listener. Malware bypasses this through session-based installation or by convincing users to manually navigate through the extra confirmation step.