Researchers detect a threat that abuses Android accessibility feature to steal data

Researchers from LookOut, a San Francisco-based mobile
security company that provides security to both private and business mobile
devices, have detected a malware dubbed “AndroRATIntern” that abuses the accessibility
service in Android to steal sensitive data from infected smartphones.
“After discovering this threat, Lookout notified both LINE
and Google. None of LINE’s systems were breached. All Lookout users are
protected against this threat,” the researchers wrote in the blog.
According to the researchers, AndroRATIntern is
surveillanceware developed from the AndroRAT malware toolkit. It is sold commercially as “AndroidAnalyzer”.
“The threat is
notably the first piece of malware we’ve ever seen abusing the Android accessibility
service to steal data,” the blog read.
According to them, the malware targets the Japanese market.
It can collect a broad amount of data from infected devices, including LINE’s,
which allows users to make voice and video calls and send messages and most
popular communications apps in Japan, messages, contact data, call logs, SMS,
audio, video, photos, SD card changes, and GPS location.
The researchers said that the AndroRATIntern must be locally
installed which requires a malicious actor to have physical, unmonitored access
to the target device, making it a much more targeted threat that cannot be spread
by drive-by-download campaigns.
It steals SMS messages, contact data, and other files are
not uncommon. However, it is difficult to steal messages from LINE as the
application runs in a sandbox.
The malware bypasses the security mechanism
by abusing the text-to-speech accessibility feature in Android. This feature is
designed to aid visually impaired users, but the malware developers are
leveraging it to capture LINE messages when they are opened by the victim.
The researcher pointed out some tips which can keep people
safe:

Leave a Reply