LocalizeApp banking trojan: yet again abusing Accessibility Services

Around April 1st 2021 (no joke), a new malware surfaced posing as “Localize Já!” [ref]. Its SHA256: be3d8500df167b9aaf21c5f76df61c466808b8fdf60e4a7da8d6057d476282b6

“Find it now” in English — to find your misplaced smartphone.

Banbra, BasBanke, or BrazKing?

Communication with CnC

When the malware successively connects to the socket server, it receives a “connect” event.

The malware manages several other events such as “seta_tela_cef” (looks like this sets the URL to retrieve a fake image for Caixa Economica Federal), “get_tamanho_tela” (retrieve smartphone’s screen size) etc.

The server sends commands as socket events, e.g “seta_tela_cef”. The events are handled here by the code of the malware, adjusting the malware’s configuration.
Socket events the malware handles
The malware can also send a structure which contains a list of operations to perform (see BKING_OPERA socket event). This table lists some of the possible operations. We will detail how some of them are implemented in the rest of this article.

Connecting to Accessibility Services

That being said, understanding code that deals with AAS isn’t very easy. It is worth a few explanations.

The malware declares an Accessibility Service in the Android manifest. The service is named com.gservice.autobot.Acessibilidade and it requests the BIND_ACCESSIBILITY_SERVICE.

<service android:description="@string/TESTE" android:enabled="true" android:exported="true" android:label=": Localize Já! Rastreio Online para android" android:name="com.gservice.autobot.Acessibilidade" android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE">
<action android:name="android.accessibilityservice.AccessibilityService"/>
<meta-data android:name="android.accessibilityservice" android:resource="@xml/accessibilityservice"/>

The precise accessibility capabilities are listed in an XML resource (@xml/accessibilityservice). For example, it asks to perform gestures and retrieve window content. It gets notified for any feedback or events.

<accessibility-service android:accessibilityEventTypes="0xffffffff" android:accessibilityFeedbackType="0xffffffff" android:accessibilityFlags="0x53" android:canPerformGestures="true" android:canRequestFilterKeyEvents="true" android:canRetrieveWindowContent="true" android:description="@string/TESTE" android:notificationTimeout="100" xmlns:android="http://schemas.android.com/apk/res/android"/>
Granting Accessibility rights cannot be hidden to the end-user. So the app makes the end-user believe this is necessary for the app to work.

Clicking at given coordinates

When the list of operations contains the keyword ND_CLICK_POS, the malware automatically performs a click on the given coordinates of the screen.

The click is performed by a method named Clicar_Pos. On Android, all nodes (see that as each component of screens: button, labels etc) are organized in hierarchy. The malware begins in the root window, checks if the given coordinates are within that node (if so, it clicks and it is the end). If not, the method searches recursively through children nodes until it finds the right one.

If the inspected node contains the given (x,y) coordinates, and is clickable, the method performs the ACTION_CLICK.

Writing text at given coordinates

The method is the same as for clicking: from the root node, search recursively down all nodes to insert text in the appropriate node.

If the current node contains the coordinates (x,y), the code insert text in the node. If the current node does not contain (x,y), the search continues recursively with child nodes.

Entering input text occurs when CnC’s operations contain keyword ND_TEXTO. Similarly, the malware implements automatic insertion of gestures (ND_CLICK_G), or even drawing (ND_CLICK_DRAW) on the screen. The list of points of the drawing are provided by the CnC.

Navigating through windows

The following actions occur when the CnC provides operations named respectively ND_BACK, ND_REBLLT, ND_HOME and ND_RECENTES

Dumping information

In LocalizeApp, this code dumps information for all visible nodes

For each node, the following information is dumped: coordinates, text (this will contains passwords for example), if the node is clickable, visible, its resource identifier, description, classname, package name.

infos = nodeinfo_x + ":" + nodeinfo_y + ";!!;" + nodeinfo_text + ";!!;0xxx;!!;" + isclickable + ";!!;" + isvisible + ";!!;" + viewidres + ";!!;" + contentdesc + ";!!;" + packagename + ";!!;" + node_classname + ";!!;" + rect_info + "@";


— Cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store