Investigating Malicious Capabilities of Android Malwares that Utilize Accessibility Services
| dc.contributor.advisor | Fitsum Assamnew (PhD) | |
| dc.contributor.author | Tekeste Fekadu | |
| dc.date.accessioned | 2025-06-24T08:37:53Z | |
| dc.date.available | 2025-06-24T08:37:53Z | |
| dc.date.issued | 2025-02 | |
| dc.description.abstract | The Android accessibility service provides a range of powerful capabilities. These include observing user actions, reading on-screen content, and executing actions on behalf of the user. Although these features are designed to enhance the user experience for individuals with disabilities, they introduce design vulnerabilities that make the accessibility service susceptible to malicious exploitation. This research investigates how Android malware leverages accessibility services for malicious purposes. By analyzing a dataset of malicious applications, we identified common patterns of accessibility service abuse and developed a machine learning-based detection approach using TinyBERT and XGBoost models. We first manually compiled a base dataset of 134 accessibility service event patterns comprising source and sink API calls. These patterns were labeled according to specific malicious functionalities: BlockAccess, ManipulateUI, and ContentEavesdrop. To address data limitations, we generated callgraph from 121 malware samples using Flow- Droid taint analysis and applied agglomerative clustering and fuzzy matching, ultimately expanding the dataset size to 1,497 patterns. Our classification experiments compared the performance of TinyBERT, a transformer-based model, and XGBoost, a gradient-boosted decision tree model, in classifying malicious functionalities. Results show TinyBERT’s outstanding performance, achieving an accuracy of 97.7% and an F1 score of 97.6% over ten-fold cross-validation, compared to XGBoost’s 90.4% accuracy and 90.0% F1 score. This study demonstrates the potential of transformer-based models in capturing sequential dependencies and contextual characteristics in API call patterns, enabling robust detection of accessibility service misuse. Our findings contribute a novel approach to detecting malicious behavior in Android malware and a valuable dataset that may aid similar research. | |
| dc.identifier.uri | https://etd.aau.edu.et/handle/123456789/5625 | |
| dc.language.iso | en_US | |
| dc.publisher | Addis Ababa University | |
| dc.subject | Android malware | |
| dc.subject | Accessibility Services | |
| dc.subject | Accessibility Abuse | |
| dc.subject | Machine Learning | |
| dc.subject | BERT | |
| dc.subject | TinyBERT | |
| dc.subject | XGBoost | |
| dc.subject | content eavesdropping | |
| dc.subject | access blocking | |
| dc.subject | cybersecurity | |
| dc.subject | mobile security | |
| dc.title | Investigating Malicious Capabilities of Android Malwares that Utilize Accessibility Services | |
| dc.type | Thesis |