- Home
- Techniques
- Mobile
- Input Injection
Input Injection
A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.
Input Injection can be achieved using any of the following methods:
- Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.[1]
- Injecting global actions, such as
GLOBAL_ACTION_BACK
(programatically mimicking a physical back button press), to trigger actions on behalf of the user.[2] - Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.[3]
Procedure Examples
Name | Description |
---|---|
Cerberus |
Cerberus can inject input to grant itself additional permissions without user interaction and to prevent application removal.[8][9] |
DEFENSOR ID |
DEFENSOR ID can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.[7] |
Ginp |
Ginp can inject input to make itself the default SMS handler.[6] |
Gustuff |
Gustuff injects the global action |
Riltok |
Riltok injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen.[4] |
TrickMo |
TrickMo can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.[5] |
Mitigations
Mitigation | Description |
---|---|
Application Vetting |
Applications that register an accessibility service should be scrutinized further for malicious behavior. |
Enterprise Policy |
An EMM/MDM can use the Android |
User Guidance |
Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission. |
Detection
Users can view applications that have registered accessibility services in the accessibility menu within the device settings.
References
- Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.
- Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
- Bitwarden. (n.d.). Auto-fill logins on Android . Retrieved September 15, 2019.
- Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.
- P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.
- ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.
- L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.
- Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.
- A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.