Connect with us

Hi, what are you looking for?


Mobile & Wireless

Malware Abuses Android Accessibility Feature to Steal Data

Researchers at mobile security firm Lookout have come across a piece of malware that abuses the accessibility service in Android to steal sensitive data from infected smartphones.

Researchers at mobile security firm Lookout have come across a piece of malware that abuses the accessibility service in Android to steal sensitive data from infected smartphones.

The threat, detected as “AndroRATIntern” and sold commercially as “AndroidAnalyzer,” is a surveillance tool created with the AndroRAT toolkit. Lookout says it’s the first threat that abuses accessibility features offered by the Android operating system for data theft.

According to Lookout, the malware is utilized to target users in Japan. Once it’s deployed on a smartphone, the Trojan is capable of collecting contact data, SMS messages, videos, photos, call logs, GPS location, SD card changes, and messages from LINE, a popular communications app developed by a Japan-based company.

LINE, which allows users to make voice and video calls and send messages, is one of the most popular communications apps in Japan. LINE is available for all popular platforms and in more than a dozen languages, and its developers say the application is used by more than 600 million users worldwide.

Android malware that steals SMS messages, contact data, and other files is not uncommon. However, stealing messages from LINE is more difficult because the application runs in a sandbox.

AndroRATIntern bypasses this security mechanism by abusing the text-to-speech accessibility feature in Android. This feature is designed to aid visually impaired users, but the malware developers are leveraging it to capture LINE messages when they are opened by the victim.

“AndroRATIntern’s abuse of the accessibility service highlights the importance of not relying solely on OS-based security to protect mobile data as it is, in fact, a malicious use of a legitimate OS service,” Lookout explained in a blog post. “As an Android system service, the accessibility service operates outside of the normal app permission model and AndroRATIntern abuses this ability to circumvent app sandboxing measures intended to protect mobile data.”

Experts say AndroRATIntern poses a threat to both individuals and enterprises. However, they have pointed out that the malware can only be installed on Android smartphones by an attacker who has physical access to the targeted device. This makes it a more targeted threat.

Advertisement. Scroll to continue reading.

Lookout has noted that the risk associated with such threats, known as “surveillanceware,” is twofold because data is collected not only by the individual who uses the application, but also the organization that develops it. This makes the developer a tempting target for threat actors.

A good example is the recent incident in which the systems of mSpy, a controversial mobile and computer monitoring software, were breached. The attacker leaked customer records obtained from the company’s systems.

“A surveillanceware service provider can have a veritable warehouse of valuable data collected from successfully-infected devices  and this warehouse can be an attractive target for attackers,” Lookout said.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.