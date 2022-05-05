SMS scams aimed at taking control of our device, obtaining our entire contact list to get more potential victims and finally getting hold of our bank details were one of the technological topics in Spain in 2021. On the first day of last year we already told that there was a Correos application that controlled our smartphone and that was difficult to uninstall. Later, clones of all the messaging companies followed, and we learned that the software used for this was called FluBot.

In March 2021 alone, FluBot had already infected 60,000 phones and stolen the number of 1 in 4 Spaniards. Regarding these cases, the National Police told Genbeta that they estimated that “the average profit may be around 15,000 – 20,000 euros, although there are always cases in which the loss is lower and some in which it is much higher (we have come to see some of about 100,000 euros).

The phishing SMS that we have recently received no longer invite us to install a fraudulent application, but rather to enter our bank details on websites that pretend to be Caixabank, Santander or BBVA. However, last year’s damage is done, and part of the blame for the success of FluBot is explained from the operation of AndroidWell, iOS on iPhones never had a vulnerability that allowed an attacker to take control of our device and our screen in this way.

Attackers took advantage of how Android Accessibility permissions work, and now Google wants to fix it in Android 13, we learn from Esper.

What happens today and what does Google want to change



The big problem with Flubot was that giving the malware such advanced permissions only took a couple of taps from the user.

What made Flubot so powerful is that attackers created clone apps of Post Office, FedEx, MRW, and more, and managed to trick thousands of users into passing them off as legitimate apps. After that, what made it so easy for attackers to control the entire devices was after opening the applications for the first time, the system asked the user if they wanted to allow the app to “take full control of the device”. That which today, even in Android 12, grants the accessibility service/permission: almost unlimited power.

On iOS, the system will never ask the user if they want to allow something like this on their device, because it is a more closed system considering what the lack of security could lead to in cases like this. Google is more open and leaves more freedom. An alert of the type “Do you want to allow FedEx to fully control your device”, indicating permissions such as viewing and controlling the entire screen, which should trigger all user alarms, has proven not to be enough.

The current problem has to do, especially with the applications that we install manually with an .apk file, a practice known in English as sideloading. According to what they say in Esper, the applications that we install by the most common way on Android, the Google Play Store, already have limitations applied to the Accessibility API. It is ironic that the limitation has been applied before in the Google store, where a review of the applications is assumed, and not to applications installed from external sources that do not have to be well-intentioned.

What Google is going to do in Android 13, as confirmed to Esper, is that everything remains the same for applications installed outside of Google Play but that have also been installed on the device through another app store, such as the Amazon App Store or F-Droid. In other words, these applications will continue to have access to the accessibility APIs without suffering major restrictions.

Google will detect two types of app installations: those executed through the Play Store and other stores, and those installed manually

The big change is going to come for applications downloaded from the internet manually, or that we have received in applications such as WhatsApp, Telegram, Gmail, etc.. When we install these applications and when opening them we are asked to activate the accessibility permission, the system will automatically block that user attempt, even if it is voluntary. In other words, even knowing 100% of the risks and being totally convinced of wanting to give that application total control of our mobile, we will not be able to.



Image of Esper. This is what will happen when we voluntarily want to remove system restrictions.

What the user will be able to do on their own is to go to Settings and search for “Application information”. Once we are in the window of our application, we can click on the “Allow restricted settings” which is hidden under a submenu. This would again allow the app in question to take control of our device, if we want.

We will have to see this implementation to conclude how difficult it is to bypass it, but the important thing is that it will distance the average user from the possibility of accepting a permission that warns you that they will totally control your mobile. There will always be risks, but much more hidden.

Now, the only problem is that this depends on android 13. In November 2021, after Android 12 had already been launched, Android 11 was only in 24.3% of terminals. That means that it will be years before most users can enjoy this real-time protection of Android 13.