LocalizeApp banking trojan: yet again abusing Accessibility Services

“Find it now” in English — to find your misplaced smartphone.

Banbra, BasBanke, or BrazKing?

Communication with CnC

When the malware successively connects to the socket server, it receives a “connect” event.
The server sends commands as socket events, e.g “seta_tela_cef”. The events are handled here by the code of the malware, adjusting the malware’s configuration.
Socket events the malware handles
The malware can also send a structure which contains a list of operations to perform (see BKING_OPERA socket event). This table lists some of the possible operations. We will detail how some of them are implemented in the rest of this article.

Connecting to Accessibility Services

<service android:description="@string/TESTE" android:enabled="true" android:exported="true" android:label=": Localize Já! Rastreio Online para android" android:name="com.gservice.autobot.Acessibilidade" android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE">
<intent-filter>
<action android:name="android.accessibilityservice.AccessibilityService"/>
</intent-filter>
<meta-data android:name="android.accessibilityservice" android:resource="@xml/accessibilityservice"/>
</service>
<accessibility-service android:accessibilityEventTypes="0xffffffff" android:accessibilityFeedbackType="0xffffffff" android:accessibilityFlags="0x53" android:canPerformGestures="true" android:canRequestFilterKeyEvents="true" android:canRetrieveWindowContent="true" android:description="@string/TESTE" android:notificationTimeout="100" xmlns:android="http://schemas.android.com/apk/res/android"/>
Granting Accessibility rights cannot be hidden to the end-user. So the app makes the end-user believe this is necessary for the app to work.

Clicking at given coordinates

When the list of operations contains the keyword ND_CLICK_POS, the malware automatically performs a click on the given coordinates of the screen.
If the inspected node contains the given (x,y) coordinates, and is clickable, the method performs the ACTION_CLICK.

Writing text at given coordinates

If the current node contains the coordinates (x,y), the code insert text in the node. If the current node does not contain (x,y), the search continues recursively with child nodes.

Navigating through windows

The following actions occur when the CnC provides operations named respectively ND_BACK, ND_REBLLT, ND_HOME and ND_RECENTES

Dumping information

In LocalizeApp, this code dumps information for all visible nodes
infos = nodeinfo_x + ":" + nodeinfo_y + ";!!;" + nodeinfo_text + ";!!;0xxx;!!;" + isclickable + ";!!;" + isvisible + ";!!;" + viewidres + ";!!;" + contentdesc + ";!!;" + packagename + ";!!;" + node_classname + ";!!;" + rect_info + "@";

Conclusion

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Connecting to Agora with Tokens — Flutter

Android — minCompileSdk (31) specified in a dependency’s AAR metadata in native java/kotlin is…

Fantastic Flutter and Dart tips that will save you a lot of time.

Android Room using Kotlin

RxJava instead of LiveData in MVVM

Automating our workflow at Trendyol Android Team #3

Scaffold.of() called but it’s in different contexts. Why is that?

Room DB Android Part-1

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

SQL injection UNION attack, finding a column containing text

Divide And Conquer: Rapid Response To The Apache Log4j Vulnerability

“Tricking” our developers into liking application security

CVE-2021–43267: Remote Linux Kernel Heap Overflow — Arbitrary Code Execution