Investigating Malicious Capabilities of Android Malwares that Utilize Accessibility Services
No Thumbnail Available
Date
2025-02
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Addis Ababa University
Abstract
The Android accessibility service provides a range of powerful capabilities. These
include observing user actions, reading on-screen content, and executing actions
on behalf of the user. Although these features are designed to enhance the user experience
for individuals with disabilities, they introduce design vulnerabilities that
make the accessibility service susceptible to malicious exploitation. This research
investigates how Android malware leverages accessibility services for malicious
purposes. By analyzing a dataset of malicious applications, we identified common
patterns of accessibility service abuse and developed a machine learning-based detection
approach using TinyBERT and XGBoost models. We first manually compiled
a base dataset of 134 accessibility service event patterns comprising source
and sink API calls. These patterns were labeled according to specific malicious
functionalities: BlockAccess, ManipulateUI, and ContentEavesdrop. To address
data limitations, we generated callgraph from 121 malware samples using Flow-
Droid taint analysis and applied agglomerative clustering and fuzzy matching,
ultimately expanding the dataset size to 1,497 patterns. Our classification experiments
compared the performance of TinyBERT, a transformer-based model, and
XGBoost, a gradient-boosted decision tree model, in classifying malicious functionalities.
Results show TinyBERT’s outstanding performance, achieving an accuracy
of 97.7% and an F1 score of 97.6% over ten-fold cross-validation, compared
to XGBoost’s 90.4% accuracy and 90.0% F1 score. This study demonstrates the
potential of transformer-based models in capturing sequential dependencies and
contextual characteristics in API call patterns, enabling robust detection of accessibility
service misuse. Our findings contribute a novel approach to detecting
malicious behavior in Android malware and a valuable dataset that may aid similar
research.
Description
Keywords
Android malware, Accessibility Services, Accessibility Abuse, Machine Learning, BERT, TinyBERT, XGBoost, content eavesdropping, access blocking, cybersecurity, mobile security