Fraud alert: Preventing malicious apps from accessing your data

This is an authored post by Radhakrishna R and Anuj Bhansali

Mr. Kumar was puzzled when he got an OTP message in the morning and a few minutes later got a message “9999/- has been debited from your bank account XXX bank”. He was always careful not to share his OTP with anyone. On investigation it was found that Mr. Kumar had downloaded an app 3 days back which promised to give lucrative offers and more than 50% discounts on all e-commerce sites. What appeared to be a unsuspecting app was actually a malicious app which took admin privileges from Mr.Kumar using Android accessibility service and passed the OTP/Card number without asking the user.

This is not something we see everyday but this phenomena is seeing an upward trend in India since we tend to install apps from links/SMS/playstore without verifying the permissions required by these apps.

There have been recent cases of vulnerability in some Android apps due to the use of the Android accessibility service. This service might allow attackers to discover a user’s typed in Credit/Debit card details, pin and login post install of the malicious app.

In fact there was also a recent report circulating around on a vulnerability in the PhonePe app that *might* allow attackers to discover Credit/Debit card details that might have been added by the user post the malicious app install. We take user security very strictly and there has been no compromise on the credit card/debit card information. Accessibility just acts at a device level and has no implications on how data is transferred or stored.

In this blogpost we discuss how to prevent fraud by not allowing malicious apps from accessing your data.

Before we go into the technical details, we need to understand how this happens and what is Android accessibility. Android accessibility service is an application that provides user interface enhancements to assist users with disabilities, or who may temporarily be unable to fully interact with a device or an app. Android encourages all apps to support accessibility (https://developer.android.com/guide/topics/ui/accessibility/) so that legitimate accessibility services such as Talkback can help users. Accessibility is important for users with low-vision, seniors, temporarily disabled users etc. Android provides standard accessibility services, including TalkBack, which gives voiceover for keyboard entries.

In some cases a user’s security can get compromised due to a malicious app installed on their device which has been explicitly granted “Accessibility Permissions”. In such cases the malicious app can pose as a legitimate Accessibility service and intercept anything that is being typed on an app that supports accessibility. This is like having a malicious keyboard app installed on your device that intercepts every keystroke or a malicious screen-capture app that is taking frequent screenshots of your device usage.

So then is there a solution to this problem? Android already warns users that enabling an accessibility service app can make them vulnerable to data loss. In fact, it also highlights what all personal data can be observed, including credit card numbers and passwords. (see below)

Like we mentioned, third-party keyboards can also access this information, and Android warns users here too at the point of enabling (see below)

So until Android fixes this problem by ensuring that no untrusted apps can ever get Accessibility permissions, it is important for users to be careful before giving elevated permissions — whether that’s to an accessibility service, device administrator, or root — to applications they do not trust. In fact, Google has also cracked down on apps which misuse Accessibility permission. Read it here.