Connect with us

Hi, what are you looking for?


Mobile & Wireless

Malware Abuses Android Accessibility Feature to Steal Data

Researchers at mobile security firm Lookout have come across a piece of malware that abuses the accessibility service in Android to steal sensitive data from infected smartphones.

Researchers at mobile security firm Lookout have come across a piece of malware that abuses the accessibility service in Android to steal sensitive data from infected smartphones.

The threat, detected as “AndroRATIntern” and sold commercially as “AndroidAnalyzer,” is a surveillance tool created with the AndroRAT toolkit. Lookout says it’s the first threat that abuses accessibility features offered by the Android operating system for data theft.

According to Lookout, the malware is utilized to target users in Japan. Once it’s deployed on a smartphone, the Trojan is capable of collecting contact data, SMS messages, videos, photos, call logs, GPS location, SD card changes, and messages from LINE, a popular communications app developed by a Japan-based company.

LINE, which allows users to make voice and video calls and send messages, is one of the most popular communications apps in Japan. LINE is available for all popular platforms and in more than a dozen languages, and its developers say the application is used by more than 600 million users worldwide.

Android malware that steals SMS messages, contact data, and other files is not uncommon. However, stealing messages from LINE is more difficult because the application runs in a sandbox.

AndroRATIntern bypasses this security mechanism by abusing the text-to-speech accessibility feature in Android. This feature is designed to aid visually impaired users, but the malware developers are leveraging it to capture LINE messages when they are opened by the victim.

“AndroRATIntern’s abuse of the accessibility service highlights the importance of not relying solely on OS-based security to protect mobile data as it is, in fact, a malicious use of a legitimate OS service,” Lookout explained in a blog post. “As an Android system service, the accessibility service operates outside of the normal app permission model and AndroRATIntern abuses this ability to circumvent app sandboxing measures intended to protect mobile data.”

Advertisement. Scroll to continue reading.

Experts say AndroRATIntern poses a threat to both individuals and enterprises. However, they have pointed out that the malware can only be installed on Android smartphones by an attacker who has physical access to the targeted device. This makes it a more targeted threat.

Lookout has noted that the risk associated with such threats, known as “surveillanceware,” is twofold because data is collected not only by the individual who uses the application, but also the organization that develops it. This makes the developer a tempting target for threat actors.

A good example is the recent incident in which the systems of mSpy, a controversial mobile and computer monitoring software, were breached. The attacker leaked customer records obtained from the company’s systems.

“A surveillanceware service provider can have a veritable warehouse of valuable data collected from successfully-infected devices  and this warehouse can be an attractive target for attackers,” Lookout said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.