Android’s recent API modifications have hampered some malware’s ability to determine which application is currently running in the foreground of a device at any given point of time. As Android begins to successfully block this attack method, attackers may adopt a trick used by adware so that their threats can work again. Though we have previously seen mobile potentially unwanted applications (PUAs) abuse accessibility services to install arbitrary applications, we believe financial malware could use the same technique to circumvent a significant security improvement specifically created to thwart this kind of threat.
Why is this ability important for malware?
The ability for malware to detect what app is running in the foreground is of particular importance to banking applications, such as Android.Bankosy and Android.Fakelogin. These threats function by learning what application is operating in the foreground, pushing it to the background, and then pushing a fake lookalike screen to the foreground. This screen looks like a banking application and is used to steal victims' information. If malware can't tell what app is operating in the foreground, it doesn't know what app to push to the background or when to do it.
The old techniques
Older versions of banking Trojans used a technique that invoked the built-in API, getRunningTasks(), to determine what app was currently running in the foreground. Once the threat used this method to discover if a banking app was running, the threat could push itself to the foreground to steal information. This method was deprecated in Android Lollipop, so malware authors found another way to discover what app was running in the foreground.
From Lollipop onwards, attackers began using an undocumented variable to determine what app was running in the foreground. While this method worked for some time, Google eventually blocked it from working in Android 5.0 and later.
These methods no longer work on the recent Android versions, which account for about 40 percent of Android devices.
Abusing the accessibility service
While Google has closed most doors to techniques that identify the foreground app, some adware families and PUAs have begun to abuse Android’s accessibility service so that they can determine what app is running at any given time.
Android's accessibility service is meant to help users with physical, visual, or age-related limitations use their device. Some accessibility service features include text-to-speech, haptic feedback, and gesture navigation. Audio-based accessibility features need to know what app is currently running in the foreground so that it can tell a visually impaired user about it through the device’s speakers.
Adware and PUAs take advantage of these features by first registering an accessibility service. The apps’ authors do this by adding an intent filter to android.accessibilityservice.AccessibilityService in the manifest.
The adware or PUA authors then configure the accessibility service to handle specific events on the app. For example, the author may set accessibilityEventType to typeAllMask so that the accessibility service can handle all types of accessibility events.
Once the accessibility service has been configured, the adware or PUA uses social engineering to trick the user into turning on the accessibility service. For example, in the following image, a risky app displays a window asking the user to activate the accessibility service. Users may be able to identify the message as a trick based on the text’s misspellings.
Figure 1. Message displayed by adware and PUAs to trick users into turning on accessibility services
While this method may provide risky software with the means of finding the foreground app, it requires the user to perform several actions first. Even after clicking on “Accessibility” on the pop-up window, users still must actually turn on the accessibility service in their device settings.
However, if the victim does enable the accessibility service, then the adware or PUA can discover what app is currently running on the device as illustrated in the code snippet in figure 2. This allows the adware or PUA to move itself to the foreground.
Figure 2. How adware and PUAs use the accessibility service to discover what the foreground app is
This method works on all versions of Android, but risky software most frequently uses it on versions 5.0 and later. For earlier versions of the mobile OS, attackers still prefer to use getRunningTasks(), because it is more convenient and does not require any user interaction. While we’ve mainly seen adware and PUAs use this technique, it’s likely that Android banking malware may implement it in future.
Symantec detects the adware and PUAs that are using these techniques as:
Protection
Symantec recommends that users follow these best practices to stay protected from mobile banking threats, as well as adware and PUAs.
- Keep your software up to date
- Do not download apps from unfamiliar sites or third-party app stores
- Only install apps from trusted sources
- Pay close attention to the permissions that apps request
- Install a suitable mobile security app, such as Norton, in order to protect your device and data
- Back up important data frequently