Tracking Side-loaded Accessibility Services | Guardsquare

Written by Guardsquare | Feb 13, 2024 6:14:45 PM

Guardsquare recommended technique

	Technique summary
Technique	Tracking side-loaded accessibility services
Against	Malicious accessibility services
Limitations	API Level ≥ 34 (Android ≥14), requires QUERY_ALL_PACKAGES privilege
Side effects	This technique may restrict third-party app stores if they are not included in the installer list
Recommendations	Recommended for use combined with other techniques for older devices.

This technique is an extension of accessibility services allow-listing.

Yet another criterion for considering applications as suspicious is whether they have enabled accessibility services and they are side-loaded. The implementation is shown in the snippet below:

private void inspectSideLoadedA11yServices() { AccessibilityManager am =(AccessibilityManager) mContext. getSystemService(Context.ACCESSIBILITY_SERVICE); a11yServiceList = am.getEnabledAccessibilityServiceList(FEEDBACK_ALL_MASK); // (...) for (AccessibilityServiceInfo asi : a11yServiceList) { packageName = asi.getId().split("/")[0]; try { if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) { installer = packageManager. getInstallSourceInfo(packageName). getInstallingPackageName(); } else { installer = packageManager.getInstallerPackageName(packageName); } if (installer == null || !installer.equals("com.android.vending")) { Log.d(TAG, "[!] app '" + packageName + "' has a11y and is side-loaded"); sideLoadedA11yAppList.add(packageName); } } catch(PackageManager.NameNotFoundException e) { } } }

View full post