Beware! Giving an app accessibility services capability enables it to take over your phone.

Security and privacy of Android systems and web browsers have improved significantly in recent years to the degree that it has become increasingly difficult for malware to capture valuable data.  Malware often attempts to fool the phone user into granting it powers that enables it to collect data about the user, encrypt data and demand a ransom for its return, or even to launch attacks on other devices.

There are a number of things worth consideration before installing, and when using apps. Permissions and device administrator powers can be used by abusive apps against you.  The most powerful capability you can grant to an app is enabling it as an accessibility service. Once granted this capability the app can do everything a user can, draw over other apps, even block a users inputs. It can grant itself any permission it requires to take full control of the device, block attempts to stop or remove it, even hide that it is installed.

An app doesnt necessarily need to be malicious. It may be vulnerable to an attacker who could use its accessibility services capabilities to take control of the phone.

The BlackRock banking trojan, latest in a line of powerful trojans, tricks users to grant it accessibility services, then it is able to set up the device to resist attempts at detection and removal and gets ready to collect account login data.  BlackRock can see when you launch banking, social media and dating apps and overlay a screen to encourage you to enter login or credit card details, which it collects.

It is strongly recommended never to grant apps accessibility services capabilities, unless you need them due to a disability.  You can check in android settings to see if apps have this capability, and remove it if necessary. A cunning malicious app can however hide this and/or stop you disabling the capability. On devices launched with Android Oreo or newer, its possible to reliably check if your device has an accessibility service using the Auditor app (also available via izzyondroid F-Droid repo) with a second phone also running Auditor or the service. Alternatively any phone can be connected  to a computer and examined using adb. It is also possible to use adb to uninstall a malicious app which is blocking its own removal.
#Android #Security
Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!