Malware Abuses Android Accessibility Feature to Steal Data

Researchers at mobile security firm Lookout have come across a piece of malware that abuses the accessibility service in Android to steal sensitive data from infected smartphones.

The threat, detected as “AndroRATIntern” and sold commercially as “AndroidAnalyzer,” is a surveillance tool created with the AndroRAT toolkit. Lookout says it’s the first threat that abuses accessibility features offered by the Android operating system for data theft.

According to Lookout, the malware is utilized to target users in Japan. Once it’s deployed on a smartphone, the Trojan is capable of collecting contact data, SMS messages, videos, photos, call logs, GPS location, SD card changes, and messages from LINE, a popular communications app developed by a Japan-based company.

LINE, which allows users to make voice and video calls and send messages, is one of the most popular communications apps in Japan. LINE is available for all popular platforms and in more than a dozen languages, and its developers say the application is used by more than 600 million users worldwide.

Android malware that steals SMS messages, contact data, and other files is not uncommon. However, stealing messages from LINE is more difficult because the application runs in a sandbox.

AndroRATIntern bypasses this security mechanism by abusing the text-to-speech accessibility feature in Android. This feature is designed to aid visually impaired users, but the malware developers are leveraging it to capture LINE messages when they are opened by the victim.

“AndroRATIntern’s abuse of the accessibility service highlights the importance of not relying solely on OS-based security to protect mobile data as it is, in fact, a malicious use of a legitimate OS service,” Lookout explained in a blog post. “As an Android system service, the accessibility service operates outside of the normal app permission model and AndroRATIntern abuses this ability to circumvent app sandboxing measures intended to protect mobile data.”

Experts say AndroRATIntern poses a threat to both individuals and enterprises. However, they have pointed out that the malware can only be installed on Android smartphones by an attacker who has physical access to the targeted device. This makes it a more targeted threat.

Lookout has noted that the risk associated with such threats, known as “surveillanceware,” is twofold because data is collected not only by the individual who uses the application, but also the organization that develops it. This makes the developer a tempting target for threat actors.

A good example is the recent incident in which the systems of mSpy, a controversial mobile and computer monitoring software, were breached. The attacker leaked customer records obtained from the company’s systems.

“A surveillanceware service provider can have a veritable warehouse of valuable data collected from successfully-infected devices  and this warehouse can be an attractive target for attackers,” Lookout said.