{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T16:04:25Z","timestamp":1774368265770,"version":"3.50.1"},"publisher-location":"Cham","reference-count":30,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783030598167","type":"print"},{"value":"9783030598174","type":"electronic"}],"license":[{"start":{"date-parts":[[2020,1,1]],"date-time":"2020-01-01T00:00:00Z","timestamp":1577836800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2020,9,16]],"date-time":"2020-09-16T00:00:00Z","timestamp":1600214400000},"content-version":"vor","delay-in-days":259,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>Android accessibility features include a robust set of tools allowing developers to create apps for assisting people with disabilities. Unfortunately, this useful set of tools can also be abused and turned into an attack vector, providing malware with the ability to interact and read content from third-party apps.<\/jats:p>\n          <jats:p>In this work, we are the first to study the impact that the stealthy exploitation of Android accessibility services can have on significantly reducing the forensic footprint of malware attacks, thus hindering both live and post-incident forensic investigations. We show that through Living off the Land (LotL) tactics, or by offering a malware-only substitute for attacks typically requiring more elaborate schemes, accessibility-based malware can be rendered virtually undetectable.<\/jats:p>\n          <jats:p>In the LotL approach, we demonstrate accessibility-enabled SMS and command and control (C2) capabilities. As for the latter, we show a complete cryptocurrency wallet theft, whereby the accessibility trojan can hijack the entire withdrawal process of a widely used app, including two-factor authentication (2FA). In both cases, we demonstrate how the attacks result in significantly diminished forensic evidence when compared to similar attacks not employing accessibility tools, even to the extent of maintaining device take-over without requiring malware persistence.<\/jats:p>","DOI":"10.1007\/978-3-030-59817-4_2","type":"book-chapter","created":{"date-parts":[[2020,9,15]],"date-time":"2020-09-15T13:03:17Z","timestamp":1600174997000},"page":"22-38","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["Reducing the Forensic Footprint with Android Accessibility Attacks"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7997-0063","authenticated-orcid":false,"given":"Yonas","family":"Leguesse","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6483-9054","authenticated-orcid":false,"given":"Mark","family":"Vella","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2844-5728","authenticated-orcid":false,"given":"Christian","family":"Colombo","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6432-5328","authenticated-orcid":false,"given":"Julio","family":"Hernandez-Castro","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2020,9,16]]},"reference":[{"key":"2_CR1","unstructured":"Zdnet: Bigger than Windows, bigger than iOS (2019). https:\/\/www.zdnet.com\/article\/bigger-than-windows-bigger-than-ios-google-now-has-2-5-billion-active-android-devices-after-10-years\/"},{"key":"2_CR2","unstructured":"Gdata: Cyber attacks on Android devices on the rise (2018). https:\/\/www.gdatasoftware.com\/blog\/2018\/11\/31255-cyber-attacks-on-android-devices-on-the-rise"},{"key":"2_CR3","doi-asserted-by":"crossref","unstructured":"Hutchinson, S., Zhou, B., Karabiyik, U.: Are we really protected? An investigation into the play protect service. In: 2019 IEEE BigData, pp. 4997\u20135004. IEEE (2019)","DOI":"10.1109\/BigData47090.2019.9006100"},{"key":"2_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"53","DOI":"10.1007\/978-3-319-71501-8_4","volume-title":"Security, Privacy, and Applied Cryptography Engineering","author":"E Alepis","year":"2017","unstructured":"Alepis, E., Patsakis, C.: Hey doc, is this normal?: Exploring Android permissions in the post Marshmallow era. In: Ali, S.S., Danger, J.-L., Eisenbarth, T. (eds.) SPACE 2017. LNCS, vol. 10662, pp. 53\u201373. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-71501-8_4"},{"key":"2_CR5","unstructured":"ENISA: Mobile Threats and Incident Handling (2015)"},{"key":"2_CR6","doi-asserted-by":"crossref","unstructured":"Petsas, T., et al.: Rage against the virtual machine: hindering dynamic analysis of Android malware. In: EuroSec 2014, pp. 1\u20136 (2014)","DOI":"10.1145\/2592791.2592796"},{"key":"2_CR7","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"334","DOI":"10.1007\/978-3-319-66332-6_15","volume-title":"Research in Attacks, Intrusions, and Defenses","author":"E Alepis","year":"2017","unstructured":"Alepis, E., Patsakis, C.: Trapped by the UI: the Android case. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 334\u2013354. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-66332-6_15"},{"issue":"1","key":"2_CR8","first-page":"23","volume":"15","author":"M Ahmad","year":"2017","unstructured":"Ahmad, M., Khan, M.N.A.: A review of forensic analysis techniques for Android phones. JISR 15(1), 23\u201330 (2017)","journal-title":"JISR"},{"key":"2_CR9","unstructured":"Diao, W., et al.: Kindness is a risky business: on the usage of the accessibility APIs in Android. In: 22nd RAID 2019, pp. 261\u2013275 (2019)"},{"key":"2_CR10","unstructured":"Stefanko, L.: Insidious Android malware gives up all malicious features but one to gain stealth (2020). https:\/\/www.welivesecurity.com\/2020\/05\/22\/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth\/"},{"key":"2_CR11","unstructured":"Threat Fabric: 2020 - Year of the RAT (2020). https:\/\/www.threatfabric.com\/blogs\/2020_year_of_the_rat.html"},{"key":"2_CR12","unstructured":"Techcrunch: Eventbot (2020). https:\/\/techcrunch.com\/2020\/04\/29\/eventbot-android-malware-banking"},{"key":"2_CR13","unstructured":"Campbell, C., Graeber, M.: Living Off the Land: A Minimalist\u2019s Guide to Windows Post-Exploitation (2013). http:\/\/www.securitybsides.com\/w\/page\/67875719\/BSidesAugusta"},{"key":"2_CR14","doi-asserted-by":"crossref","unstructured":"Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: 2012 IEEE SSP, pp. 95\u2013109. IEEE (2012)","DOI":"10.1109\/SP.2012.16"},{"key":"2_CR15","doi-asserted-by":"crossref","unstructured":"Yang, K., et al.: IntentFuzzer: detecting capability leaks of android applications. In: 9th ACM CCS, pp. 531\u2013536 (2014)","DOI":"10.1145\/2590296.2590316"},{"key":"2_CR16","doi-asserted-by":"crossref","unstructured":"Zhang, H., She, D., Qian, Z.: Android root and its providers: a double-edged sword. In: 22nd ACM SIGSAC, pp. 1093\u20131104 (2015)","DOI":"10.1145\/2810103.2813714"},{"key":"2_CR17","unstructured":"Mayrhofer, R., et al.: The Android platform security model. CoRR abs\/1904.05572 (2019). arXiv: 1904.05572"},{"key":"2_CR18","doi-asserted-by":"crossref","unstructured":"Kalysch, A., Bove, D., M\u00fcller, T.: How Android\u2019s UI security is undermined by accessibility. In: Proceedings of the 2nd Reversing and Offensive-oriented Trends Symposium, pp. 1\u201310 (2018)","DOI":"10.1145\/3289595.3289597"},{"issue":"2","key":"2_CR19","first-page":"291","volume":"2019","author":"M Naseri","year":"2019","unstructured":"Naseri, M., et al.: AccessiLeaks: investigating privacy leaks exposed by the Android accessibility service. Proc. PETs 2019(2), 291\u2013305 (2019)","journal-title":"Proc. PETs"},{"key":"2_CR20","doi-asserted-by":"crossref","unstructured":"Fratantonio, Y., et al.: Cloak and dagger: from two permissions to complete control of the UI feedback loop. In: 2017 IEEE (SP), pp. 1041\u20131057. IEEE (2017)","DOI":"10.1109\/SP.2017.39"},{"key":"2_CR21","unstructured":"Serapiglia, A.: Cybersecurity and cryptocurrencies: introducing ecosystem vulnerabilities through current events. In: EDSIG ISSN, vol. 2473, p. 3857 (2019)"},{"key":"2_CR22","unstructured":"Kan, Z., et al.: Automated deobfuscation of Android native binary code. arXiv preprint arXiv:1907.06828 (2019)"},{"key":"2_CR23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"269","DOI":"10.1007\/978-3-319-69659-1_15","volume-title":"Information Security","author":"X Yang","year":"2017","unstructured":"Yang, X., et al.: How to make information-flow analysis based defense ineffective: an ART behavior-mask attack. In: Nguyen, P., Zhou, J. (eds.) ISC 2017. LNCS, vol. 10599, pp. 269\u2013287. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-69659-1_15"},{"key":"2_CR24","unstructured":"Velasco, L., Duijn, R.: Fileless-threats-analysis-and-detection. In: Dearbytes (2018)"},{"key":"2_CR25","unstructured":"Zdnet: Google pauses removal of apps that want to use accessibility services (2017). https:\/\/www.zdnet.com\/article\/google-pauses-crackdown-of-accessibility-api-apps\/"},{"key":"2_CR26","doi-asserted-by":"crossref","unstructured":"Jang, Y., et al.: A11y attacks: exploiting accessibility in operating systems. In: Proceedings of the 2014 ACM SIGSAC, pp. 103\u2013115 (2014)","DOI":"10.1145\/2660267.2660295"},{"issue":"2","key":"2_CR27","doi-asserted-by":"publisher","first-page":"998","DOI":"10.1109\/COMST.2014.2386139","volume":"17","author":"P Faruki","year":"2014","unstructured":"Faruki, P., et al.: Android security: a survey of issues, malware penetration, and defenses. IEEE Commun. Surv. Tutor. 17(2), 998\u20131022 (2014)","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"2_CR28","unstructured":"Drozhzhin, A.: SMS-based two-factor authentication is not safe-consider these alternative 2FA methods instead (2020). https:\/\/www.kaspersky.com\/blog\/2fa-practical-guide\/24219\/"},{"key":"2_CR29","unstructured":"Hackerone: Hackerone. https:\/\/www.hackerone.com\/"},{"key":"2_CR30","doi-asserted-by":"crossref","unstructured":"Vella, M., Rudramurthy, V.: Volatile memory-centric investigation of SMS-hijacked phones: a Pushbullet case study. In: 2018 FedC- SIS, pp. 607\u2013616. IEEE (2018)","DOI":"10.15439\/2018F11"}],"container-title":["Lecture Notes in Computer Science","Security and Trust Management"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-59817-4_2","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,14]],"date-time":"2025-09-14T22:02:51Z","timestamp":1757887371000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-030-59817-4_2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020]]},"ISBN":["9783030598167","9783030598174"],"references-count":30,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-59817-4_2","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020]]},"assertion":[{"value":"16 September 2020","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"STM","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Workshop on Security and Trust Management","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Guildford","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"United Kingdom","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2020","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"17 September 2020","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18 September 2020","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"16","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"stm2020","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.iit.cnr.it\/stm2020\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"20","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"8","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"40% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"1,5","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"The conference was held virtually due to the COVID-19 pandemic","order":10,"name":"additional_info_on_review_process","label":"Additional Info on Review Process","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}