Request Pricing
En


    Tracking device admin accessibility services

      Technique summary
    Technique Tracking decide admin accessibility services
    Against Malicious accessibility services
    Limitations API Level ≥ 34 (Android ≥14)
    Side effects None
    Recommendations Recommended for use combined with other techniques for older devices.

    This technique is an extension of accessibility services allow-listing.

    A common malware workflow pattern is to obtain accessibility service rights, and later also device admin rights. Therefore, a strategy could be to check applications that have both privileges.

    This code can be used to enumerate accessibility services.

    private void inspectA11yServices() { AccessibilityManager am =(AccessibilityManager) mContext. getSystemService(Context.ACCESSIBILITY_SERVICE); a11yServiceList = am.getEnabledAccessibilityServiceList(FEEDBACK_ALL_MASK); }

    The next block of code would enumarate device admin apps:

    private void inspectDeviceAdminApps() { DevicePolicyManager devicePolicyManager = (DevicePolicyManager) mContext. getSystemService(Context.DEVICE_POLICY_SERVICE); List activeDeviceAdminComp = devicePolicyManager.getActiveAdmins(); if (activeDeviceAdminComp != null) { // active device admin apps were found for (ComponentName cn : activeDeviceAdminComp) { deviceAdminAppList.add(cn.getPackageName()); } } }

    And finally, this block of code will check whether there is any app in both lists:

    public boolean getVerdict() { boolean result = false; for (AccessibilityServiceInfo asi : a11yServiceList) { String id = asi.getId(); for (String pn: deviceAdminAppList) { if (id.contains(pn)) { Log.d(TAG, "[!] app '" + pn + "' is suspicious (a11y + device admin)"); suspiciousAppList.add(pn); result = true; } } } return result; }

     

    Guardsquare

    Table of contents