Cargando…
Reducing the Forensic Footprint with Android Accessibility Attacks
Android accessibility features include a robust set of tools allowing developers to create apps for assisting people with disabilities. Unfortunately, this useful set of tools can also be abused and turned into an attack vector, providing malware with the ability to interact and read content from th...
| Autores principales: | , , , |
|---|---|
| Formato: | Online Artículo Texto |
| Lenguaje: | English |
| Publicado: |
2020
|
| Materias: | |
| Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7491630/ http://dx.doi.org/10.1007/978-3-030-59817-4_2 |
| _version_ | 1783582247820984320 |
|---|---|
| author | Leguesse, Yonas Vella, Mark Colombo, Christian Hernandez-Castro, Julio |
| author_facet | Leguesse, Yonas Vella, Mark Colombo, Christian Hernandez-Castro, Julio |
| author_sort | Leguesse, Yonas |
| collection | PubMed |
| description | Android accessibility features include a robust set of tools allowing developers to create apps for assisting people with disabilities. Unfortunately, this useful set of tools can also be abused and turned into an attack vector, providing malware with the ability to interact and read content from third-party apps. In this work, we are the first to study the impact that the stealthy exploitation of Android accessibility services can have on significantly reducing the forensic footprint of malware attacks, thus hindering both live and post-incident forensic investigations. We show that through Living off the Land (LotL) tactics, or by offering a malware-only substitute for attacks typically requiring more elaborate schemes, accessibility-based malware can be rendered virtually undetectable. In the LotL approach, we demonstrate accessibility-enabled SMS and command and control (C2) capabilities. As for the latter, we show a complete cryptocurrency wallet theft, whereby the accessibility trojan can hijack the entire withdrawal process of a widely used app, including two-factor authentication (2FA). In both cases, we demonstrate how the attacks result in significantly diminished forensic evidence when compared to similar attacks not employing accessibility tools, even to the extent of maintaining device take-over without requiring malware persistence. |
| format | Online Article Text |
| id | pubmed-7491630 |
| institution | National Center for Biotechnology Information |
| language | English |
| publishDate | 2020 |
| record_format | MEDLINE/PubMed |
| spelling | pubmed-74916302020-09-16 Reducing the Forensic Footprint with Android Accessibility Attacks Leguesse, Yonas Vella, Mark Colombo, Christian Hernandez-Castro, Julio Security and Trust Management Article Android accessibility features include a robust set of tools allowing developers to create apps for assisting people with disabilities. Unfortunately, this useful set of tools can also be abused and turned into an attack vector, providing malware with the ability to interact and read content from third-party apps. In this work, we are the first to study the impact that the stealthy exploitation of Android accessibility services can have on significantly reducing the forensic footprint of malware attacks, thus hindering both live and post-incident forensic investigations. We show that through Living off the Land (LotL) tactics, or by offering a malware-only substitute for attacks typically requiring more elaborate schemes, accessibility-based malware can be rendered virtually undetectable. In the LotL approach, we demonstrate accessibility-enabled SMS and command and control (C2) capabilities. As for the latter, we show a complete cryptocurrency wallet theft, whereby the accessibility trojan can hijack the entire withdrawal process of a widely used app, including two-factor authentication (2FA). In both cases, we demonstrate how the attacks result in significantly diminished forensic evidence when compared to similar attacks not employing accessibility tools, even to the extent of maintaining device take-over without requiring malware persistence. 2020-08-24 /pmc/articles/PMC7491630/ http://dx.doi.org/10.1007/978-3-030-59817-4_2 Text en © The Author(s) 2020 Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. |
| spellingShingle | Article Leguesse, Yonas Vella, Mark Colombo, Christian Hernandez-Castro, Julio Reducing the Forensic Footprint with Android Accessibility Attacks |
| title | Reducing the Forensic Footprint with Android Accessibility Attacks |
| title_full | Reducing the Forensic Footprint with Android Accessibility Attacks |
| title_fullStr | Reducing the Forensic Footprint with Android Accessibility Attacks |
| title_full_unstemmed | Reducing the Forensic Footprint with Android Accessibility Attacks |
| title_short | Reducing the Forensic Footprint with Android Accessibility Attacks |
| title_sort | reducing the forensic footprint with android accessibility attacks |
| topic | Article |
| url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7491630/ http://dx.doi.org/10.1007/978-3-030-59817-4_2 |
| work_keys_str_mv | AT leguesseyonas reducingtheforensicfootprintwithandroidaccessibilityattacks AT vellamark reducingtheforensicfootprintwithandroidaccessibilityattacks AT colombochristian reducingtheforensicfootprintwithandroidaccessibilityattacks AT hernandezcastrojulio reducingtheforensicfootprintwithandroidaccessibilityattacks |