Among one of the first cybersecurity vendors to detect abuse of Android’s accessibility services, Verimatrix’s VMX Lab researchers are now detecting variations of this type of attack on a fairly regular basis. 

Verimatrix’s XTD (Extended Threat Defense) solution has built-in detection of Android accessibility services abuse, enabling your organization to harness the detection capability as an automatic SIEM-based prevention tool. Developers should request a chat with a Verimatrix specialist to learn how fast and easy an XTD deployment can be for their team. Until then, app users shouldn’t give undue permissions and only use the official store.

Verimatrix wrote about ATS-based attacks earlier this year, outlining GoatRAT and detailing how screen spoofing is not only dangerous but also on the rise. The company also published an informative post called Screen Spoofing: Dangerous Mobile App Overlay Attacks On the Rise that provides a detailed explanation of how screen overlay attacks take place and why they’re such a threat.

VMX Labs has detected a shift

A fairly new Android Trojan called GoldDigger reared its head in Vietnam this summer, and it appears to be just one of the latest trojans that are exploiting the accessibility service on Android, which is intended to help users with disabilities more easily navigate their devices. Developers can’t turn off the accessibility services.

Up until recently, most malware with their sights on banking mobile apps were using accessibility services only optionally as a trigger to initiate the attack. And they’ve been relying on classic overlays to conduct the attack and steal credentials, etc. That was a preferred method since it worked well for older phones as well as an overall wider range of phones. And nearly all the major attack frameworks, including Cerberus, Hook, and Hydra, operate using this classic approach.

The recent GoldDigger Trojan points to a shift in accessibility services being SYSTEMATICALLY abused to use overlays and inject key strokers to steal credentials and trigger the transfer of funds to the attacker abusing the Automated Transfer System (ATS).

The winding path GoldDigger takes

Thought to be active since around June of this year, the Trojan uses these tools in the attacker’s toolbox (in addition to requesting accessibility services access) to try and steal funds via 50+ mobile  apps:

  • Phishing emails are often step one, trying to lead users to websites to download and install the dropper applications for the attack. 
  • The websites for downloading the dropper app are even going as far as to spoof the Google Play Store page itself or look like legit government or energy company apps.
  • Once the user has downloaded and installed the legit-looking dropper app, they are tricked into giving this application sufficient permissions to allow a wide range of control over the malware on the user’s phone.  
  • The next step is to steal banking app credentials and abuse accessibility services.
  • Even text messages are captured and sent to a C&C server to circumvent multi-factor authentication, for example. Remote control over the device allows the abuse of the banking apps.
  • The use of the legitimate Virbox Protector obfuscation tool makes it more difficult to detect and analyze the malware.
  • The malware is also offered in Spanish and Chinese, indicating plans for a possible expansion to other regions.

Earlier this month, it was also reported that GoldDigger is targeting e-wallets and crypto-wallets in addition to more traditional banking mobile apps, further broadening its chances of successfully raiding accounts.