July 1, 2015
Japanese Malware Abuses Service | Android Accessibility
The accessibility service in Android helps give the disabled and individuals with restricted access to their phones alternative ways to interact with their mobile devices. It also has unintentionally opened the door for Japanese surveillanceware to steal data from LINE, the most popular messaging service in Japan.
After discovering this threat, Lookout notified both LINE and Google. None of LINE's systems were breached. All Lookout users are protected against this threat.
AndroRATIntern
AndroRATIntern is surveillanceware developed from the AndroRAT malware toolkit. It is commercially sold under the name “AndroidAnalyzer” and is notably the first piece of malware we’ve ever seen abusing the Android accessibility service to steal data.
It targets the Japanese market and can collect a broad amount of data from infected devices, including LINE messages, contact data, call logs, SMS, audio, video, photos, SD card changes, and GPS location. Given the scope of the data collected, the threat to both individuals and enterprises is clear.
AndroRATIntern must be locally installed and therefore requires a malicious actor to have physical, unmonitored access to the target device, making it a much more targeted threat that cannot be spread by drive-by-download campaigns.
Stealing LINE data
If a person reads a message within an app, the content is protected and generally unavailable to other apps because the app lives in a sandbox. The accessibility service, however, can provide an app with access to other app’s data when accessed by the device user. This enables specific accessibility features such as text-to-speech, which can help visually-impaired users. In the case of AndroRATIntern, the use of the accessibility service enables the threat to capture LINE messages when they are opened by the victim on an infected device.
Surveillanceware itself as a target
One of the risks associated with surveillanceware like AndroRATInternisn’t just that the person who installed the threat on your device has your data, but that company that offers the surveillanceware may have your data as well and itself become a target of attack.
In May 2015, for example, malicious actors compromised the commercial surveillanceware product mSpy stealing Apple IDs and passwords, tracking data, and more from hundreds of thousands of victims, according to Brian Krebs. A surveillanceware service provider can have a veritable warehouse of valuable data collected from successfully-infected devices and this warehouse can be an attractive target for attackers.
Data is mobile
Mobile devices clearly house a lot of interesting data on an individual or a company. You can come to know who a person talks to, what they’re talking about, where they go, and what they’re saving to their phone.
AndroRATIntern’s abuse of the accessibility service highlights the importance of not relying solely on OS-based security to protect mobile data as it is, in fact, a malicious use of a legitimate OS service.
As an Android system service, the accessibility service operates outside of the normal app permission model and AndroRATIntern abuses this ability to circumvent app sandboxing measures intended to protect mobile data.
However, following some simple tips can dramatically help keep your data safe:
- Keep a passcode on your device -- it will be significantly harder for someone to download and install anything to your phone if it’s locked
- Download security software that can tell you if malicious software is running on your device