Android Mobile Forensics, Recovery, & Debugging

Decoding Android Malware’s Accessibility Service Persistence: A Reverse Engineering Workshop

By Antigravity Research Published May 30, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Pervasive Threat of Accessibility Service Abuse

Android’s Accessibility Services, designed to assist users with disabilities by providing enhanced UI interaction capabilities, have unfortunately become a prime target for malware authors. These services grant applications the ability to observe and interact with UI elements, capture sensitive information, and even perform actions on behalf of the user, often without explicit, continuous user consent once enabled. This workshop delves into the reverse engineering techniques required to unravel how Android malware leverages Accessibility Services for persistence, providing a crucial understanding for mobile forensics and security professionals.

Why Accessibility Services? A Malware Perspective

Malware exploits Accessibility Services due to their profound access and control:

  • UI Interaction: Read on-screen content, simulate touches, and inject text. This allows attackers to bypass OTPs, steal credentials from legitimate apps, and manipulate settings.
  • Event Monitoring: Monitor all UI events, including button clicks, text changes, and window state transitions. This provides a rich stream of user activity.
  • Permission Bypass: Once enabled, an Accessibility Service can often perform actions that would typically require explicit user interaction or higher permissions, effectively bypassing some security controls.
  • Persistence: The ability to monitor system events allows malware to detect when its own service is disabled or uninstalled, and then trigger mechanisms to re-enable or reinstall itself.

Understanding these capabilities is the first step in recognizing the threat model.

Deconstructing Persistence: Common Mechanisms

Malware often employs several strategies to maintain an active Accessibility Service:

  1. Re-enabling Itself: The most common tactic. Malware monitors the state of accessibility services. If its own service is found disabled, it will attempt to redirect the user to the Accessibility settings screen, often with social engineering prompts, to coerce them into re-enabling it.
  2. Foreground Services and Broadcast Receivers: To prevent the OS from killing the malicious process, malware often runs its Accessibility Service as a foreground service, displaying a persistent notification. It might also use various broadcast receivers (e.g., BOOT_COMPLETED, PACKAGE_REPLACED) to restart its main component or service upon system events.
  3. Abusing startActivity: Programmatically launching the Accessibility settings via an intent (Settings.ACTION_ACCESSIBILITY_SETTINGS) is a key part of the re-enablement loop.
  4. Hiding its Presence: Some malware tries to hide its app icon or masquerade as a system service to avoid user detection and uninstallation.

Reverse Engineering Methodology: A Step-by-Step Guide

1. Initial Static Analysis: The Manifest File is Key

Begin by decompressing the APK and examining its AndroidManifest.xml. Look for:

  • <service> declarations with android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE". This directly identifies an Accessibility Service.
  • The <meta-data> tag within the service, pointing to an XML configuration file (e.g., <meta-data android:name="android.accessibilityservice" android:resource="@xml/accessibility_service_config"/>). This XML defines the service’s capabilities (event types, package names to monitor).
  • Declared permissions, especially dangerous ones like RECEIVE_BOOT_COMPLETED, SYSTEM_ALERT_WINDOW, or READ_PHONE_STATE, which can be used in conjunction with accessibility abuse.

Example AndroidManifest.xml snippet:

<manifest ...>    <uses-permission android:name="android.permission.BIND_ACCESSIBILITY_SERVICE"/>    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>    <application ...>        <service android:name=".MaliciousAccessibilityService"                 android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE"                 android:label="@string/app_name">            <intent-filter>                <action android:name="android.accessibilityservice.AccessibilityService"/>            </intent-filter>            <meta-data android:name="android.accessibilityservice"                       android:resource="@xml/accessibility_service_config"/>        </service>        <receiver android:name=".BootReceiver">            <intent-filter>                <action android:name="android.intent.action.BOOT_COMPLETED"/>            </intent-filter>        </receiver>    </application></manifest>

2. Decompilation and Code Analysis

Use tools like Jadx or Ghidra to decompile the APK. Focus on the identified Accessibility Service class (e.g., .MaliciousAccessibilityService) and its associated configuration XML.

Key Methods to Examine:

  • onServiceConnected(): This method is called when the accessibility service is successfully connected to the system. Malware often performs initial setup here, checks for its enabled state, or starts background tasks.
  • onAccessibilityEvent(AccessibilityEvent event): This is the core of an Accessibility Service. Malware will implement logic here to process UI events. Look for:
    • event.getEventType() checks (e.g., TYPE_WINDOW_STATE_CHANGED, TYPE_VIEW_CLICKED).
    • event.getPackageName() checks: Malware might specifically target legitimate banking apps, communication apps, or even the Android settings app.
    • Calls to performAction(), findAccessibilityNodeInfosByViewId(), or getText() on AccessibilityNodeInfo objects, indicating UI manipulation or data exfiltration.
  • onInterrupt(): Called when the system wants to turn off the service. Malicious services might ignore this or attempt to log the event.

Identifying Persistence Logic:

Search for calls related to system settings or service management:

  • Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES: This global setting stores a colon-separated list of enabled accessibility services. Malware might read this to check its own status.
  • Settings.Secure.ACCESSIBILITY_ENABLED: Checks if accessibility services are generally enabled.
  • Intent.ACTION_ACCESSIBILITY_SETTINGS: Used to launch the Accessibility settings screen. This is a tell-tale sign of malware trying to guide the user to re-enable itself.
  • `ComponentName` objects: Malware might create a `ComponentName` for its own service to check its status or use in intents.

Example of persistence logic in decompiled Java:

public class MaliciousAccessibilityService extends AccessibilityService {    @Override    protected void onServiceConnected() {        super.onServiceConnected();        Log.d("MalService", "Service connected!");        // Periodically check if service is still enabled        new Thread(() -> {            while (true) {                try {                    Thread.sleep(5000); // Check every 5 seconds                    if (!isServiceEnabled(getApplicationContext())) {                        Log.w("MalService", "Service disabled, attempting to re-enable!");                        promptForAccessibilitySettings(getApplicationContext());                    }                } catch (InterruptedException e) {                    Thread.currentThread().interrupt();                    break;                }            }        }).start();    }    private boolean isServiceEnabled(Context context) {        String service = context.getPackageName() + "/" + MaliciousAccessibilityService.class.getName();        String enabledServices = Settings.Secure.getString(context.getContentResolver(),                Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES);        return enabledServices != null && enabledServices.contains(service);    }    private void promptForAccessibilitySettings(Context context) {        Intent intent = new Intent(Settings.ACTION_ACCESSIBILITY_SETTINGS);        intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);        context.startActivity(intent);    }    // ... other onAccessibilityEvent and onInterrupt methods ...}

3. Dynamic Analysis and Monitoring

Execute the malware in a controlled environment (emulator or rooted device) and use dynamic analysis tools.

ADB Commands:

  • Check enabled services: 
    adb shell settings get secure enabled_accessibility_services

    This command displays a list of currently active accessibility services, allowing you to confirm if the malware’s service is running.

  • Launch settings: 
    adb shell am start -a android.settings.ACCESSIBILITY_SETTINGS

    Simulate or observe if the malware launches this intent.

Frida/Xposed Hooking:

For deeper insights, use Frida to hook critical Android API calls:

  • Hook `Settings.Secure.putString` to monitor attempts to modify accessibility settings.
  • Hook `AccessibilityManager.sendAccessibilityEvent` or `onAccessibilityEvent` in the malware’s service to understand what events it’s intercepting.
  • Hook `startActivity` calls originating from the malware to see if it’s redirecting users to settings.

Example Frida script idea to monitor accessibility settings changes:

Java.perform(function () {    var SettingsSecure = Java.use("android.provider.Settings$Secure");    SettingsSecure.putString.overload('android.content.ContentResolver', 'java.lang.String', 'java.lang.String').implementation = function (cr, name, value) {        console.log("Settings.Secure.putString called:");        console.log("  Name: " + name);        console.log("  Value: " + value);        if (name === "enabled_accessibility_services") {            console.warn("  !!! ACCESSIBILITY SERVICE SETTINGS MODIFIED !!!");        }        return this.putString(cr, name, value);    };});

Attach this script to the target application’s process using `frida -U -l your_script.js -f com.malware.package –no-pause`.

Detection and Mitigation Strategies

Understanding these persistence mechanisms is vital for building robust detection and mitigation strategies:

  • User Awareness: Educating users about the dangers of enabling accessibility services for unknown apps is crucial.
  • App Permissions Review: Regularly review permissions granted to installed applications.
  • Behavioral Analysis: Security solutions can monitor for suspicious activities like an app repeatedly launching accessibility settings, attempting to read sensitive UI elements from other apps, or frequent checks on its own service status.
  • API Monitoring: OS-level monitoring for `Settings.Secure` modifications or frequent `startActivity` calls to accessibility settings.
  • Disabling Unknown Services: Users should be advised to disable any unfamiliar accessibility services immediately.

Conclusion

Android malware’s exploitation of Accessibility Services for persistence represents a significant and evolving threat. By mastering static and dynamic reverse engineering techniques, security researchers and forensic analysts can effectively dissect these intricate mechanisms. This knowledge empowers us to not only understand how these threats operate but also to develop more effective countermeasures, safeguarding the integrity and security of the Android ecosystem.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Accessibility Services #Android Malware #Mobile forensics #Persistence #Reverse Engineering

Related Technical Guides

Live Acquisition & Decryption: WhatsApp Forensics on Rooted Android Devices

May 30, 2026

Forensic Walkthrough: Unearthing Telegram Secrets from Non-Rooted Android Backups

May 30, 2026

Bypassing Android Security: Accessing Telegram Data Without Device Unlock (Forensic Methods)

May 30, 2026