Security researchers have developed a new tool that will help Android users detect and remove malware from their devices.
It’s called Detector of Victim-specific Accessibility (DVa) and was built by cybersecurity experts at Georgia Tech. It runs in the cloud, checks the phone for malware that abuses accessibility rights, and then reports back to the user.
If the tool finds positives, the user can uninstall the app or otherwise clean up their device.
GPUs make attacks powerful
“As we continue to design systems that become increasingly accessible, we also need security experts,” said Brendan Saltaformaggio, associate professor in the School of Cybersecurity and Privacy (SCP) and the School of Electrical and Computer Engineering. “Because if we don’t, they will be abused by hackers.”
In addition to reporting back to the user, DVa also sends a report directly to Google. While it’s certainly commendable, it’s also worth noting that Google is doing a good job of keeping its app repository clean, as it is right now. The majority of Android-based malware is usually downloaded through third-party app stores, shady websites, or through social media advertisements.
Typically, Android malware can be identified by the permissions it requests. Typically, this type of malware requests accessibility permissions, which are mainly built to simplify usage for people with various disabilities. Accessibility permissions are designed for apps that can read the content on the screen, convert it to audio and the like.
However, malicious apps with the same permissions can tap things, which can lead to data loss and even wire fraud.
“The Android Accessibility Service is widely abused by malware to conduct fraud on the device,” the researchers explain in the whitepaper. “Existing mitigation techniques focus on detecting malware, but neglect providing users with evidence of abuse that has already occurred and informing victims to facilitate defense. We developed DVa, a malware analysis pipeline based on dynamic victim-driven execution and exploit vector-driven symbolic analysis, to help researchers discover malware’s intended victims, victim-specific exploit vectors, and persistence mechanisms.”
After deploying DVa to Android devices infected with nearly 10,000 pieces of malware, researchers discovered 215 unique victim vectors and an average of 13.9 exploit routines. The full study can be found here.