{
	"id": "5c84d8cb-fa29-49f6-b8ac-6b5212424129",
	"created_at": "2026-04-06T00:10:45.03868Z",
	"updated_at": "2026-04-10T03:30:33.838543Z",
	"deleted_at": null,
	"sha1_hash": "f9b3488f3f5a3389fbcdc08bc5ee514895a7bf2c",
	"title": "When your phone gets sick: FluBot abuses Accessibility features to steal data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 811758,
	"plain_text": "When your phone gets sick: FluBot abuses Accessibility features to\r\nsteal data\r\nBy SRLabs\r\nPublished: 2021-12-21 · Archived: 2026-04-05 15:32:43 UTC\r\nKey take-aways\r\nAccessibility features enable malware to bypass Android’s permission system that is supposed to prevent\r\nmalware from stealing credentials. Therefore, the majority of the active banking Trojans exploit this weak\r\nspot\r\nAwareness for this issue seems to be limited: Only few apps implement safeguards\r\nRight now, there are no known Android-level countermeasures that would preserve the usability of\r\nAccessibility features while at the same time preventing their abuse\r\nWe face a pandemic of Android malware abusing Accessibility\r\n2021 was a truly pandemic year, not only in terms of COVID-19 but also for Android banking malware. The rise\r\nin Android banking Trojans is driven by several catalysts: a general professionalization of malware distribution\r\nservices, and the leaked source codes of Anubis and Cerberus. Many banking Trojans have in common their\r\n(ab)use of Accessibility service to control the infected device.\r\nThis article explains how Accessibility features are abused by Android malware to steal sensitive data and spread\r\nto other phones. The post focuses on FluBot, a banking Trojan active since December 2020. The analysis is based\r\non FluBot as observed “in the wild” in Germany in July 2021.\r\nAndroid Accessibility features: A blessing and a curse\r\nAccessibility features are tools included with Android that ease access to mobile phone services for people with\r\ndisabilities. For example, Android can read text aloud and prescribe voice into text, lowering the barrier of mobile\r\nphone usage for visually impaired users. Android Accessibility featurescan be grouped in four categories: screen\r\nreaders, display configurations like magnification and Select to Speak, interaction controls like the Accessibility\r\nMenu, and audio \u0026 on-screen text transcription. These services require broad access to the system itself, the stored\r\ndata (including e.g., contacts, photos, and passwords), the ability to read the screen, create overlays, and to\r\nperform actions on behalf of the user. These all happen to also be features that Android malware can abuse to steal\r\ndata.\r\nEach “helper app” must be given specific permission to use Accessibility service. This permission is given only\r\nonce per app, usually right after the installation of the helper app (or malware app).\r\nAccessibility features can help malware to circumvent Android’s security framework that makes use of a kernel-level application sandbox to isolate application resources. This isolation intends to prevent apps from interacting\r\nhttps://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data\r\nPage 1 of 8\n\nwith other apps unless they have exposed services such as intents and content providers. Even if a malicious app is\r\ninstalled, Android prevents third-party access to protected app resources. In theory.\r\nWhen a user enables Accessibility for a malicious app, the security framework can be bypassed in two ways to\r\nsteal data from other apps:\r\nOverlay\r\nThe first method is that the malicious Accessibility service puts an HTML overlay resembling the actual login\r\nscreen on the targeted app when it is launched. When the user tries to log in, their login credentials are sent to the\r\nhacker’s server.\r\nKeylogger\r\nIn the second method, the malicious Accessibility service takes the role of a keylogger by tracking the changes on\r\nthe EditText fields where the user can input their login credentials. Every time the user inputs or deletes a\r\ncharacter, the result is sent to the hacker's server, enabling them to capture the user credentials.\r\nGoogle partly mitigated these issues in 2017 by attempting to ban all apps from the Play Store that misused\r\nAccessibility services and by limiting the use of this Android API for developers. Yet, since Google can only\r\ncontrol the apps in their app store, this did not fix the general problem as fraudsters now lure victims into\r\ninstalling apps from other sources. Therefore, Accessibility features can be considered the current Achilles' heel of\r\nAndroid.\r\nGiven that only a minority of Android users actually use Accessibility features, the authors believe that the barrier\r\nof initially activating the far-reaching access should be significantly higher than simply giving an app permission\r\nto use them. Users should be asked to authenticate twice to acknowledge a clear warning message highlighting the\r\npotential dangers of giving Accessibility privileges to a newly installed app. Google Play services should by\r\ndefault scan all Accessibility-requesting apps independent of whether they were installed through Google Play.\r\nFluBot in action: Lure users through Smishing\r\nThe FluBot malware demonstrates how Accessibility features are commonly abused. First “in-the-wild” samples\r\nof FluBot were detected by CSIS in December 2020. The first piece of analysis was released in January 2021 by\r\nThreatFabric. An initial in-depth analysis was published by PRODAFT in March 2021, and another one in April\r\n2021 by Proofpoint. Our analysis has been conducted on a more recent sample that we obtained “in-the-wild” in\r\nJuly 2021 through a malicious SMS message distributed to German mobile numbers. The package name is\r\n“com.UCMobile.intl”.\r\nThe fraud typically starts with an SMS that informs users that they are expecting a parcel (Figure 1) or received a\r\nvoicemail (Figure 2). The messages are usually sent in the national language of the network where it is received.\r\nTo circumvent simple carrier SMS spam filters, the included links change often, words are misspelled or\r\ncapitalized, or, as seen in Figure 2, random letters are added.\r\nhttps://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data\r\nPage 2 of 8\n\nFigure 1: Example for a phishing SMS by FluBot received in April 2021 in a German mobile\r\nnetwork. The message says: “Your parcel will be sent returned to the sender. Last possibility to get\r\nit \u003clink\u003e”.\r\nFigure 2: The phishing SMS we received in July 2021 in a German mobile network. The message\r\nsays: “oarrq 2 New voicemail(s) received \u003clink\u003e”.\r\nThe analyzed version of FluBot notifies the user of a missed voicemail (Figure 2). The link redirects victims to a\r\nwebsite where they are asked to download an app (Figure 3). This website often imitates well-known brands like\r\nT-Mobile (Figure 3), DHL, and FedEx. In a twist to irony, one version of FluBot directs users to a website which\r\ninforms them that their mobile is infected with FluBot and suggests that they download an app to get rid of it.\r\nhttps://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data\r\nPage 3 of 8\n\nFigure 3: Website that lures people to download the FluBot app\r\nAs soon as users download and install the app – despite several warning messages – the malware app will ask for\r\npermission to use Accessibility features and notification access to gain control over the phone (Figure 4).\r\nhttps://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data\r\nPage 4 of 8\n\nFigure 4: FluBot asking for permission to use Accessibility features\r\nOne key feature of FluBot is making use of the mobile’s contact list and Messages app to spread further. For this\r\nspreading mechanism, the infected device uploads the contact list of the victim to the Command\u0026Control (C\u0026C)\r\nserver. Then, it receives a list of text messages and phone numbers to send the SMS message which includes the\r\nAPK file to download – this is hosted on a hacked website (Figure 5).\r\nFigure 5: A GET_SMS command sent from the C\u0026C server\r\nNext, FluBot prepares to its core objective: Stealing credentials of banking and cryptocurrency apps, it needs to be\r\nin the target scope of the C\u0026C server. FluBot sends a list of apps installed on the victim’s phone to the C\u0026C\r\nserver. The server responds with a subset of apps that are targeted and sends the HTML files for overlay attacks\r\n(Figure 6). A wide range of cryptocurrency trading and online banking apps are being targeted by FluBot.\r\nhttps://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data\r\nPage 5 of 8\n\nFigure 6: A GET_INJECT command sent from the C\u0026C server for one of the banking apps installed\r\nFluBot in action: Abuse Accessibility features in three ways\r\nAccessibility permissions allow FluBot to steal the app credentials, evade detection and removal, and send SMS to\r\nspread to further victims.\r\nFirst, to steal the login credentials from the user, FluBot leverages two approaches. The first one is using an\r\noverlay: An HTML page resembling the login dashboard of the targeted app is shown to the user with an overlay\r\nby making use of the Accessibility services (Figure 7). When the user inputs their password and clicks ‘Log In’,\r\ntheir credentials are sent to the C\u0026C server.\r\nFigure 7: Overlay attack on a banking app\r\nhttps://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data\r\nPage 6 of 8\n\nThe second approach is to observe the EditText events using Accessibility services, sending the value of the\r\nEditText every time a change is made (Figure 8). This approach can be more dangerous as there is no modification\r\nof the UI and the credentials are being stolen from the actual UI of the targeted app. We have observed that this\r\napproach serves as a fallback option when the overlay attack does not work.\r\nFigure 8: Logging of captured credentials from the overlay attack\r\nFluBot also abuses Accessibility services to lie quiet and block its uninstallation. When Accessibility permissions\r\nare granted, FluBot obtains the permission to run in background through the permission “ignore battery\r\noptimizations”. As a final self-defense, FluBot prevents its uninstallation via the Android UI by immediately\r\nsending a “go-back\" command using the Accessibility services when the user is viewing the App Info window of\r\nFluBot. Additionally, with the use of Accessibility services, FluBot can go into Google Play settings and disable\r\nGoogle Play Protect when it receives the “DISABLE_PLAY_PROTECT” command.\r\nThirdly, through Accessibility features, FluBot sets itself as the default SMS app so that it can handle the\r\nspreading mechanism. To prevent users from seeing the malicious messages FluBot sent on their behalf, the\r\nmalware puts an overlay on the Google Messages app, preventing the user from seeing the malicious messages\r\nthat were sent.\r\nApp developers can make Accessibility-based abuse harder\r\nDevelopers of finance-related and other high-value apps should take precautions against malware abusing\r\nAccessibility services. Apps should check if the Accessibility services are turned on and warn their users. One\r\nnotable example that does this correctly is Coinbase. When the Coinbase Android app detects the type of hooking\r\nthat enables a keylogger, it warns the user: “An Accessibility service is trying to interact with Coinbase. Shake\r\nyour device to authorize it.” Since malware can simulate touches and gestures, a warning that can be ignored by\r\nshaking the device is the right approach as the malware will not be able to skip the warning.\r\nHowever, while developers can take precautions for the keylogging approach, there is not much they can do\r\nagainst overlay attacks using the Android SDK. We have not encountered any financial apps which take\r\nprecautions against overlay attacks.\r\nAndroid users should follow a few best practices to stay safe\r\nFor now, users should assume that neither the OS nor their apps prevent Accessibility-based abuse. Users should\r\ninstead follow basic security precautions to limit their exposure to FluBot and other malware: \r\nPrevention\r\nDo not click on links in messages, suspicious emails, and fishy websites. Instead, use the company website\r\nor app to access your information\r\nIdeally, only install apps from a trusted app store, most notably the Google Play Store, and even from there,\r\nonly install apps that have a considerable number of downloads\r\nhttps://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data\r\nPage 7 of 8\n\nIf you do not rely on Accessibility features to use your phone, never give the Accessibility permission to\r\nany app. You can also check it in Settings \u003e Accessibility\r\nBackup your data frequently to keep it safe in case you need to reset your device, which sometimes is the\r\nonly simple way to remove malware \r\nIf you installed malware\r\nPut your mobile in flight mode immediately\r\nReset your device to default settings\r\nChange your passwords of all the accounts you accessed after installing the malware\r\nContact your bank in case you are using their banking app from your phone\r\nThis research was done by the mobile security team at Security Research Labs. If you are interested in\r\nresearching similar topics, please get in touch or consider joining our team.\r\nSource: https://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data\r\nhttps://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data"
	],
	"report_names": [
		"flubot-abuses-accessibility-features-to-steal-data"
	],
	"threat_actors": [
		{
			"id": "f276b8a6-73c9-494a-8ab2-13e2f1da4c53",
			"created_at": "2022-10-25T16:07:24.441133Z",
			"updated_at": "2026-04-10T02:00:04.993411Z",
			"deleted_at": null,
			"main_name": "Achilles",
			"aliases": [],
			"source_name": "ETDA:Achilles",
			"tools": [
				"RDP",
				"Remote Desktop Protocol"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434245,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f9b3488f3f5a3389fbcdc08bc5ee514895a7bf2c.pdf",
		"text": "https://archive.orkl.eu/f9b3488f3f5a3389fbcdc08bc5ee514895a7bf2c.txt",
		"img": "https://archive.orkl.eu/f9b3488f3f5a3389fbcdc08bc5ee514895a7bf2c.jpg"
	}
}