Android Accessibility Service Pentesting

A skill for analyzing, detecting, and testing Android Accessibility Service abuse patterns in security assessments.

When to use this skill

Use this skill when:

• Analyzing Android apps for malicious accessibility services
• Testing for overlay phishing or credential harvesting vulnerabilities
• Investigating RATs like ClayRat, PlayPraetor, SpyNote, BrasDex, SOVA, ToxicPanda
• Assessing banking app security against accessibility-based attacks
• Detecting on-device fraud (ODF) automation patterns
• Reviewing APK manifests for suspicious accessibility configurations
• Hardening apps against accessibility service abuse
• Understanding Android RAT command & control workflows

Core Concepts

What is AccessibilityService Abuse?

AccessibilityService

was designed to help users with disabilities interact with Android devices. However, the same powerful automation APIs can be weaponized by malware to gain complete remote control of the handset without root privileges.

Key capabilities attackers exploit:

• Capture every UI event and text on screen
• Inject synthetic gestures (

  dispatchGesture

  )
• Perform global actions (

  performGlobalAction

  )
• Draw full-screen overlays using

  TYPE_ACCESSIBILITY_OVERLAY

  (no

  SYSTEM_ALERT_WINDOW

  prompt!)
• Silently grant additional runtime permissions by clicking system dialogs

The Attack Recipe

1. Social engineering → Victim enables rogue accessibility service (requires explicit user action for

   BIND_ACCESSIBILITY_SERVICE

   permission)
2. Leverage the service → Capture UI events, inject gestures, draw overlays, auto-grant permissions
3. Exfiltrate or perform ODF → Real-time fraud while user sees a normal screen

Detection Methods

1. Check Enabled Accessibility Services

# List all enabled accessibility services
adb shell settings get secure enabled_accessibility_services

# Detailed accessibility dump
adb shell dumpsys accessibility | grep "Accessibility Service"

# Check for suspicious services in Settings
# Settings → Accessibility → Downloaded services
# Look for apps NOT from Google Play

2. Analyze APK Manifest

Look for these patterns in

AndroidManifest.xml

:

<!-- Suspicious accessibility service declaration -->
<service
    android:name="com.evil.rat.EvilService"
    android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE"
    android:exported="false">
    
    <intent-filter>
        <action android:name="android.accessibilityservice.AccessibilityService" />
    </intent-filter>
    
    <meta-data android:name="android.accessibilityservice"
        android:resource="@xml/evil_accessibility_config"/>
</service>

Red flags in accessibility config XML:

• android:canPerformGestures="true"

  - Can inject gestures

• android:canRetrieveWindowContent="true"

  - Can read screen content

• android:accessibilityEventTypes="typeAllMask"

  - Captures all events

• android:notificationTimeout="200"

  - Very low timeout (aggressive monitoring)

3. Runtime Detection

# Check running services
adb shell dumpsys activity services | grep -i accessibility

# Check for overlay windows
adb shell dumpsys window windows | grep -i overlay

# Check device admin receivers
adb shell dumpsys device_policy

Abuse Patterns to Detect

Pattern 1: Overlay Phishing (Credential Harvesting)

What it does: Transparent/opaque WebView added via

TYPE_ACCESSIBILITY_OVERLAY

to capture credentials while real app receives gestures.

Detection indicators:

• WindowManager.LayoutParams

  with

  TYPE_ACCESSIBILITY_OVERLAY

• FLAG_NOT_FOCUSABLE | FLAG_NOT_TOUCH_MODAL

  flags
• WebView or custom view added to WindowManager
• No

  SYSTEM_ALERT_WINDOW

  permission requested

ClayRat commands:

• show_block_screen

  /

  hide_block_screen

  - Toggle overlay templates
• Downloads overlay templates from C2
• Can black out screen, show fake system updates, or display interactive PIN pad

Pattern 2: On-Device Fraud Automation

What it does: Real-time unauthorized transactions via WebSocket commands translated to low-level gestures.

Detection indicators:

• Persistent WebSocket connection (often port 8282)
• Commands like

  init

  ,

  update

  ,

  alert_arr

  ,

  report_list

• Banking app navigation patterns in logs

• dispatchGesture

  calls with banking app coordinates

Malware families: PlayPraetor, ClayRat

Pattern 3: Screen Streaming & Monitoring

What it does: VNC-like remote desktop via MediaProjection + Accessibility auto-click.

Detection indicators:

• MediaProjection

  token creation

• VirtualDisplay

  with

  ImageReader

• Foreground service for frame capture
• JPEG/PNG encoding with quality parameter
• HTTP→WebSocket upgrade with custom user-agent (e.g.,

  ClayRemoteDesktop

  )

ClayRat commands:

• turbo_screen

  - Triggers MediaProjection consent (auto-clicked)

• start_desktop

  /

  stop_desktop

  - Manage capture threads

• screen_tap

  ,

  screen_swipe

  ,

  input_text

  - Replay gestures

• set_quality

  - Adjust encoding quality (default 60)

Pattern 4: Lock-Screen Credential Theft

What it does: Captures PIN, password, or pattern from lock screen and enables auto-unlock.

Detection indicators:

• Subscribes to

  TYPE_WINDOW_CONTENT_CHANGED

  /

  TYPE_VIEW_TEXT_CHANGED

• Listens to

  com.android.systemui

  (Keyguard) events
• Stores credentials in

  SharedPreferences

  under

  lock_password_storage

• auto_unlock

  command triggers

  unlock_device

  /

  screen_on

Capture methods:

• PIN: Watches keypad button presses
• Password: Concatenates strings from focused password field
• Pattern: Records ordered node indices from gesture coordinates

Pattern 5: Notification Phishing & Harvesting

What it does: Notification Listener dumps OTP/MFA messages and crafts fake notifications.

Detection indicators:

• NotificationListenerService

  registered

• get_push_notifications

  command dumps visible notifications

• notifications_enabled

  flag for real-time streaming

• send_push_notification

  crafts fake interactive notifications

Pattern 6: Telephony & SMS Command Channel

What it does: Complete modem control after setting RAT as default SMS app.

Detection indicators:

• Default SMS app permission granted
• Commands:

  send_sms

  ,

  retransmishion

  ,

  messsms

  ,

  make_call

• get_sms_list

  ,

  get_sms

  ,

  get_call_log

  ,

  get_calls

• Contacts database iteration for worm-like propagation

Pattern 7: Discovery, Collection & Proxying

What it does: Environment mapping and C2 resilience.

Detection indicators:

• get_apps

  /

  get_apps_list

  - Enumerate installed packages (ATT&CK T1418)

• get_device_info

  - Model, OS version, battery state (T1426)

• get_cam

  /

  get_camera

  - Front-camera stills

• get_keylogger_data

  - Lock PINs, passwords, view descriptions

• get_proxy_data

  - Proxy WebSocket URL for HTTP/HTTPS tunneling (T1481.002 / T1646)

Packed Accessibility Droppers

ClayRat v3.0.8 pattern (ATT&CK T1406.002):

1. Streams encrypted blob from

   assets/*.dat

2. Decrypts with hard-coded AES/CBC key + IV
3. Writes plaintext DEX to app's private dir
4. Loads via

   DexClassLoader

   (spyware classes only in memory)

Detection:

• Look for

  assets/*.dat

  or similar encrypted blobs
• Search for AES/CBC decryption patterns in decompiled code

• DexClassLoader

  instantiation with temp DEX files

• getCodeCacheDir()

  usage for loading

C2 Workflow Analysis

PlayPraetor Command & Control

1. HTTP(S) heartbeat - Iterate hard-coded domains until one answers

   POST /app/searchPackageName

2. WebSocket (port 8282) - Bidirectional JSON commands:

   • update

     - Push new config/APKs

   • alert_arr

     - Configure overlay templates

   • report_list

     - Send targeted package names

   • heartbeat_web

     - Keep-alive
3. RTMP (port 1935) - Live screen/video streaming
4. REST exfiltration:

   • /app/saveDevice

     - Fingerprint

   • /app/saveContacts

     |

     /app/saveSms

     |

     /app/uploadImageBase64

   • /app/saveCardPwd

     - Bank credentials

Hardening Recommendations

For App Developers

1. Mark sensitive views:

   android:accessibilityDataSensitive="accessibilityDataPrivateYes"
   

   (API 34+)

2. Prevent tap/overlay hijacking:

   setFilterTouchesWhenObscured(true);
   window.setFlags(FLAG_SECURE, FLAG_SECURE);
   

3. Detect overlays:

   // Poll display flags
   WindowManager.getDefaultDisplay().getFlags();
   // Or use ViewRootImpl API
   

4. Refuse operation when suspicious:

   if (Settings.canDrawOverlays() || hasUntrustedAccessibilityService()) {
       // Block sensitive operations
   }
   

For Enterprise/MDM

• Enforce

  ACCESSIBILITY_ENFORCEMENT_DEFAULT_DENY

  (Android 13+) to block sideloaded services
• Monitor

  enabled_accessibility_services

  setting changes
• Alert on non-Play Store accessibility services

Testing Checklist

When assessing an app for accessibility abuse:

• Check manifest for

  BIND_ACCESSIBILITY_SERVICE

  permission
• Review accessibility config XML for dangerous flags
• Test if app operates when suspicious accessibility service is enabled
• Check for overlay detection mechanisms
• Verify sensitive data is marked

  accessibilityDataSensitive

• Test with

  FLAG_SECURE

  enabled
• Monitor for

  dispatchGesture

  and

  performGlobalAction

  calls
• Check for MediaProjection abuse patterns
• Review network traffic for C2 patterns (WebSocket 8282, RTMP 1935)
• Analyze assets for encrypted payloads

References

• Return of ClayRat: Expanded Features and Techniques
• ClayRat v3 IoCs (Zimperium)
• PlayPraetor's evolving threat
• Android accessibility documentation
• The Rise of RatOn: From NFC heists to remote control
• GhostTap/NFSkate – NFC relay cash-out tactic