Malware Is Exploiting This Android Feature on Millions of Smartphones. Researchers Say They Know How to Detect It

Android’s built-in security has improved significantly over time. Google’s operating system uses machine learning to prevent, detect, and remove malicious software. Devices may also have additional protection developed by the manufacturer, such as Samsung Knox, or manually downloaded antivirus software.

With these measures, users may believe their smartphones are fully protected from threats in the digital world. However, cybercriminals are increasingly sophisticated and continually adapt their attack methods. There’s always a risk that malicious software will infiltrate a device. Once inside, it can exploit features, such as those made for accessibility, to achieve its goal.

Malware That Exploits Accessibility Features

Android accessibility features improve the user experience by providing alternative control methods—such as voice, gestures, and gaze—screen content reading, and more. However, malware families like Vultur often exploit these features to compromise bank accounts, for example, by capturing information from screens or keystrokes.

Researchers at the Georgia Institute of Technology have developed a solution to check if an Android device has malware that uses accessibility features. The app, called Detector of Victim-Specific Accessibility (DVa), works with a cloud service that simulates certain actions to trigger malicious behavior in apps and identify them.

Once the process is complete, DVa generates a report and sends it to Google to alert the company of the issue. Users often download apps with accessibility features from sites other than the official app store. This includes manually enabling the installation of unknown sources. However, some apps use effective techniques to sneak into the Play Store.

In most cases, cybercriminals publish apps that appear harmless but later update them with additional code—such as the SharkBot malware—from servers they control for malicious purposes. It’s no secret that this behavior violates Play Store policies, but delayed detection is often enough to trick some users.

Unfortunately, DVa isn’t available to the general public. It’s part of an academic project, though its resources are available for experimentation on GitHub. These materials allow users to perform static and dynamic analysis on a computer running recent versions of Linux, Ubuntu, and Debian.

The project’s paper contains a wealth of information, but using DVa from the GitHub repositories requires a certain level of technical expertise. For dynamic analysis, the device in question must have root privileges. The general public will have to wait and see if this idea eventually becomes an app accessible to all users.

Image | Xataka En with Bing Image Creator | Mika Baumeister

Related | Google Releases Android Auto 12.9: This Is What’s New and How to Download the Latest Version