Blocking Screen Readers

Motivation for Blocking Screen Readers

Screen readers are apps that are able to read contents of other apps by using Android accessibility API. The API was designed to help disabled people to use their mobile devices.

Unfortunately, accessibility is frequently misused for other purposes, both benign and malicious. Apps such as automation tools, device cleaners, battery savers or AVs use it to be able to access APIs that are intended to be available only for the user, not for the apps.

What’s especially worrying is that accessibility API is often abused by Android malware and especially banking malware. Malware use accessibility to grant itself excessive permissions and to read contents of other apps’ screens.

To help protect apps agains malicious screen readers Malwarelytics for Android contains a screen reader blocking feature.

Limitation of Blocking Screen Readers

Blocking screen readers has certain limitations arising from Android accessibility API design.

An application can decide what data it sends to the accessibility API to be available for the enabled screen readers.

Unfortunately, an app cannot selectively choose which data are sent to which screen readers. Screen readers cannot be selectively allowed to see the data or selectively blocked from seeing the data. Screen readers have to be either allowed or blocked all at once.

Malwarelytics for Android screen reader blocking feature decides whether to allow or block screen readers based on the provided SDK configuration and the list of enabled screen readers in the system.

In order to allow reading of the app screens all enabled screenreaders have to be allowed in the configuration. If any enabled screen readers is not allowed by the configuration all the enabled screen readers are blocked.

Configuring Screen Reader Allowlist

Allowed screen readers can be configured in RaspConfig.

val allowList = listOf(
        // specify allowed app by its package name and signature hash
        RaspConfig.ApkAllowlist("com.google.android.marvin.talkback", "9b424c2d27ad51a42a337e0bb6991c76eca44461"),
        // specify allowed app by its package name only (less secure)
        RaspConfig.ApkAllowlist("com.google.android.tts")
    )
val raspConfig = RaspConfig.Builder()
    .allowedScreenReaders(allowList)
    .build()

Allowed screen readers can be specified either by its package name and signature or by its package name only. It’s recommended to specify the signature too to avoid allowing fake (and often malicious) apps.

Obtaining Apps’ Signatures

Obtaining apps’ package names (application IDs) is simple. Package names are visible in the URL of Google Play’s page for the app. For example the URL for Android Accessibility Suite is https://play.google.com/store/apps/details?id=com.google.android.marvin.talkback.

Obtaining the correct app signature is a little bit harder. It’s necessary to get hold of a signed apk. Ideally install the app from Google Play.

When the app is installed on an Android device, you have to pull the apk from the device first. You can find the location of the apk on the device by running:

adb shell pm list packages -f | grep "$PACKAGE$" | sed "s/package://" | sed "s/=$PACKAGE//"

Then you can pull the apk from the device by running:

adb pull "$APK_LOCATION"

As the last step obtain the signature hash in the right format:

apksigner verify --print-certs ${SOME_APK} | grep "SHA-1" | sed "s/.*: //"

Use the obtained string as the second argument for RaspConfig.ApkAllowList(String, String).

List of Frequently Used Legitimate Accessibility Apps

There’s a ton of Android apps using accessibility API. Here we provide a list of select few that are designed to make the device more accessible.

Android Accessibility Suite RaspConfig.ApkAllowlist("com.google.android.marvin.talkback", "9b424c2d27ad51a42a337e0bb6991c76eca44461")

Voice Access RaspConfig.ApkAllowlist("com.google.android.apps.accessibility.voiceaccess", "9dda347424376a377f78c4f2966f247270e16974")

Sound Amplifier RaspConfig.ApkAllowlist("com.google.android.accessibility.soundamplifier", "26710bdb08f6463b1f5842e2775169e31dd07301")

Live Transcribe & Sound Notifications RaspConfig.ApkAllowlist("com.google.audio.hearing.visualization.accessibility.scribe", "16e7d81dbd9baec338e32a5d7e13eec6af87b6d0")

Last updated on Jul 21, 2021 (14:15) View product
Search

0.18.x

Malwarelytics for Android