Request pricing
En
    Request pricing

    Login

      Tracking device admin accessibility services

        Technique summary
      Technique Tracking decide admin accessibility services
      Against Malicious accessibility services
      Limitations API Level ≥ 34 (Android ≥14)
      Side effects None
      Recommendations Recommended for use combined with other techniques for older devices

      This technique is an extension of accessibility services allow-listing.

      A common malware workflow pattern is to obtain accessibility service rights, and later also device admin rights. Therefore, a strategy could be to check applications that have both privileges.

      This code can be used to enumerate accessibility services:

      private void inspectA11yServices() { AccessibilityManager am =(AccessibilityManager) mContext. getSystemService(Context.ACCESSIBILITY_SERVICE); a11yServiceList = am.getEnabledAccessibilityServiceList(FEEDBACK_ALL_MASK); }

      The next block of code would enumarate device admin apps:

      private void inspectDeviceAdminApps() { DevicePolicyManager devicePolicyManager = (DevicePolicyManager) mContext. getSystemService(Context.DEVICE_POLICY_SERVICE); List activeDeviceAdminComp = devicePolicyManager.getActiveAdmins(); if (activeDeviceAdminComp != null) { // active device admin apps were found for (ComponentName cn : activeDeviceAdminComp) { deviceAdminAppList.add(cn.getPackageName()); } } }

      And finally, this block of code will check whether there is any app in both lists:

      public boolean getVerdict() { boolean result = false; for (AccessibilityServiceInfo asi : a11yServiceList) { String id = asi.getId(); for (String pn: deviceAdminAppList) { if (id.contains(pn)) { Log.d(TAG, "[!] app '" + pn + "' is suspicious (a11y + device admin)"); suspiciousAppList.add(pn); result = true; } } } return result; }

       

      Guardsquare

      Table of contents