Georgia Tech’s New Tool Can Detect Malware on Android Phones

Researchers at the conference.

Screen readers, voice-to-text, and other accessibility features have enabled people with disabilities to use smartphones. Yet these same features make the phones more accessible to hackers, too. 

Malware uses these accessibility tools to read screens and click on things it shouldn’t — with disastrous consequences, like transferring large sums of money from a banking app or even preventing the malware from being uninstalled. All it takes is a user clicking on a phishing link or downloading the wrong app on the Google Play Store to install malware on a phone. Then everything from cryptocurrency apps to rideshare apps that have credit cards stored in a virtual wallet become vulnerable. 

Researchers at Georgia Tech have developed a new tool, Detector of Victim-specific Accessibility (DVa), that can check for malware. DVa runs on the cloud to check the phone for this malware, then sends the user a report of its findings that shows which apps are malware and how to delete them. It will also tell them which victim apps the malware was targeting and how to contact those companies to check for damages. DVa also sends a report to Google, so the company can attempt to eradicate this malware from apps.

“As we continue to design systems that are more and more accessible, we also need security experts in the room,” said Brendan Saltaformaggio, an associate professor in the School of  Cybersecurity and Privacy (SCP) and the School of Electrical and Computer Engineering. “Because if we don't, they're going to get abused by hackers.”

Modeling Malware

To determine how vulnerable smartphones are to this type of hack, the team set up five Google Pixel phones and performed a malware analysis. The Georgia Tech researchers teamed up with Netskope — an industry leader in cloud, data, and network security — to help protect smartphones everywhere from this type of powerful malware. Then they installed some of the sample malware on each phone to see how it debilitated the system and used DVa to report this behavior.

While DVa can detect current attacks, the researchers note the challenge is ensuring that removing malware doesn’t remove accessibility.

“In the future, we need to look at how accessibility services work overall to figure out what's fundamentally different from a benign use and a malicious use,” said Haichuan (Ken) Xu, a Ph.D. student in SCP. 

News Contact

Tess Malone, Senior Research Writer/Editor

tess.malone@gatech.edu