LocalizeApp banking trojan: yet again abusing Accessibility Services

@cryptax
4 min readApr 9, 2021

--

Around April 1st 2021 (no joke), a new malware surfaced posing as “Localize Já!” [ref]. Its SHA256: be3d8500df167b9aaf21c5f76df61c466808b8fdf60e4a7da8d6057d476282b6

“Find it now” in English — to find your misplaced smartphone.

Banbra, BasBanke, or BrazKing?

As usual, it is difficult to classify this sample in a given malware family. Some tell you this is Banbra [ref], others that this is BasBanke ([ref1], [ref2] and [ref3]), and yet others naming it BrazKing [ref]. In each case, there are similarities, but enough differences to leave doubts (different organization of code, different communication with CnC etc).

Communication with CnC

The remote CnC, atualservicenovo.hopto.org on port 5000, is no longer responding, but the malware used to communicate with that host using Socket.IO, an event-driven socket communication SDK.

When the malware successively connects to the socket server, it receives a “connect” event.

The malware manages several other events such as “seta_tela_cef” (looks like this sets the URL to retrieve a fake image for Caixa Economica Federal), “get_tamanho_tela” (retrieve smartphone’s screen size) etc.

The server sends commands as socket events, e.g “seta_tela_cef”. The events are handled here by the code of the malware, adjusting the malware’s configuration.
Socket events the malware handles
The malware can also send a structure which contains a list of operations to perform (see BKING_OPERA socket event). This table lists some of the possible operations. We will detail how some of them are implemented in the rest of this article.

Connecting to Accessibility Services

I haven’t done any statistics to be honest, but abusing Android Accessibility Services feels like the new (or not so new) trend: all samples I have analyzed last month were abusing AAS, one way or another!

That being said, understanding code that deals with AAS isn’t very easy. It is worth a few explanations.

The malware declares an Accessibility Service in the Android manifest. The service is named com.gservice.autobot.Acessibilidade and it requests the BIND_ACCESSIBILITY_SERVICE.

<service android:description="@string/TESTE" android:enabled="true" android:exported="true" android:label=": Localize Já! Rastreio Online para android" android:name="com.gservice.autobot.Acessibilidade" android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE">
<intent-filter>
<action android:name="android.accessibilityservice.AccessibilityService"/>
</intent-filter>
<meta-data android:name="android.accessibilityservice" android:resource="@xml/accessibilityservice"/>
</service>

The precise accessibility capabilities are listed in an XML resource (@xml/accessibilityservice). For example, it asks to perform gestures and retrieve window content. It gets notified for any feedback or events.

<accessibility-service android:accessibilityEventTypes="0xffffffff" android:accessibilityFeedbackType="0xffffffff" android:accessibilityFlags="0x53" android:canPerformGestures="true" android:canRequestFilterKeyEvents="true" android:canRetrieveWindowContent="true" android:description="@string/TESTE" android:notificationTimeout="100" xmlns:android="http://schemas.android.com/apk/res/android"/>
Granting Accessibility rights cannot be hidden to the end-user. So the app makes the end-user believe this is necessary for the app to work.

Clicking at given coordinates

Once accessibility rights are granted, the malware can basically pilot the smartphone and click wherever it wants. The CnC can for instance send an list of operations to perform, such as click at given (x,y) coordinates on the screen.

When the list of operations contains the keyword ND_CLICK_POS, the malware automatically performs a click on the given coordinates of the screen.

The click is performed by a method named Clicar_Pos. On Android, all nodes (see that as each component of screens: button, labels etc) are organized in hierarchy. The malware begins in the root window, checks if the given coordinates are within that node (if so, it clicks and it is the end). If not, the method searches recursively through children nodes until it finds the right one.

If the inspected node contains the given (x,y) coordinates, and is clickable, the method performs the ACTION_CLICK.

Writing text at given coordinates

Similarly, the malware is able to automatically insert input text. With accessibility services power, this is automatic, the end-user does not interact.

The method is the same as for clicking: from the root node, search recursively down all nodes to insert text in the appropriate node.

If the current node contains the coordinates (x,y), the code insert text in the node. If the current node does not contain (x,y), the search continues recursively with child nodes.

Entering input text occurs when CnC’s operations contain keyword ND_TEXTO. Similarly, the malware implements automatic insertion of gestures (ND_CLICK_G), or even drawing (ND_CLICK_DRAW) on the screen. The list of points of the drawing are provided by the CnC.

Navigating through windows

The malware can use the HOME, POWER, BACK (etc) buttons very simply through performGlobalAction.

The following actions occur when the CnC provides operations named respectively ND_BACK, ND_REBLLT, ND_HOME and ND_RECENTES

Dumping information

It seems harmless at first sight, but dumping all node information to the CnC actually leaks any kind of data: username, email, phone number, credit card number, password… Have a look at figures in this article, where a malware named Defensor ID, uses the same technique. The same occurs with our sample, data organization and labels are just different.

In LocalizeApp, this code dumps information for all visible nodes

For each node, the following information is dumped: coordinates, text (this will contains passwords for example), if the node is clickable, visible, its resource identifier, description, classname, package name.

infos = nodeinfo_x + ":" + nodeinfo_y + ";!!;" + nodeinfo_text + ";!!;0xxx;!!;" + isclickable + ";!!;" + isvisible + ";!!;" + viewidres + ";!!;" + contentdesc + ";!!;" + packagename + ";!!;" + node_classname + ";!!;" + rect_info + "@";

Conclusion

IMHO, Accessibility Services on Android are too powerful — and thus too interesting to abuse by malware. Probably Android designers need to contact developers writing legitimate apps for people with disabilities to check out what they really need. I understand text to speech, or zooming, or contrast. I am not so sure about allowing an app to “click through”. But people with the relevant disabilities should speak for themselves.

— Cryptax

--

--

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.