T1453 Abuse Accessibility Features
Adversaries may abuse accessibility features in Android devices to steal sensitive data and to spread malware to other devices. Accessibility features in Android are designed to assist users with disabilities, performing a variety of tasks, such as using Action Blocks to control lightbulbs, and changing the device’s user interface, such as changing the font size and adjusting contract or colors.1
One example of how adversaries abuse accessibility features is overlaying an HTML object mimicking a legitimate login screen. The user types their credentials in the overlay HTML object, which is then sent to the adversaries.2
Another example is a malicious accessibility feature acting as a keylogger. The keylogger monitors changes on the EditText fields and sends it to the adversaries.2 This method of attack is also described in Keylogging; whereas Abuse Accessibility Features captures the overall abuse of accessibility features.
| Item | Value |
|---|---|
| ID | T1453 |
| Sub-techniques | |
| Tactics | TA0035, TA0031 |
| Platforms | Android |
| Version | 3.0 |
| Created | 25 October 2017 |
| Last Modified | 27 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0422 | Anubis | After accessibility service is granted, Anubis lures the victim into changing the Accessibility settings on the device, disabling application removal, and executes screen taps and other commands without the victim’s knowledge.6 |
| S1083 | Chameleon | After accessibility permissions are granted, Chameleon has used the Accessibility Service to perform a variety of actions, such as switching from biometric authentication to PIN authentication, automatically granting additional permissions, preventing uninstallation, disabling Play Protect.34 |
| S1225 | CherryBlos | After accessibility permissions are granted, CherryBlos has used the Accessibility Service to monitor when a wallet application launches and to steal credentials.5 |
| S1067 | FluBot | FluBot abuses accessibility features in three ways: steal application credentials, evade detection and removal, and send SMS for lateral movement.2 |
| S1231 | GodFather | GodFather has abused the accessibility service to prevent the user from uninstalling GodFather, to exfiltrate Google Authenticator one-time passwords and to steal credentials.7 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1011 | User Guidance | First, users should be wary of clicking on suspicious text messages, links and emails. Secondly, users should be wary of granting applications accessibility features. Users may check applications that have been granted accessibility features by going to Settings, then Accessibility. Finally, users should be wary of downloading applications; although applications may be on the Google Play Store, they may not be benign (see Application Versioning). |
References
-
Google. (n.d.). Android accessibility overview. Retrieved April 17, 2025. ↩
-
Şahin, Erdoğan Yağız. (2021, December 21). When your phone gets sick: FluBot abuses Accessibility features to steal data. Retrieved April 16, 2025. ↩↩↩
-
Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023. ↩
-
ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025. ↩
-
Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025. ↩
-
Cyble. (2021, May 2). Mobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus. Retrieved April 24, 2025. ↩
-
Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025. ↩