Researchers develop new tool for spotting Android malware

News
By published

Cloud-based DVa tool looks for apps that abuse accessibility permissions

An Android phone being held in the hand
(Image credit: Shutterstock / mindea)

Security researchers have devised a new tool to help Android users spot and remove malware from their devices.

Detector of Victim-specific Accessibility (DVa) was built by cybersecurity experts at Georgia Tech, and runs on the cloud, checks the phone for malware that abuses accessibility permissions, and then reports back to the user.

If the tool finds any positives, the user can then uninstall the app or otherwise clean up their device.

GPUs making attacks potent

"As we continue to design systems that are more and more accessible, we also need security experts in the room," said Brendan Saltaformaggio, an associate professor in the School of Cybersecurity and Privacy (SCP) and the School of Electrical and Computer Engineering. "Because if we don't, they're going to get abused by hackers."

Besides reporting back to the user, DVa also sends a report directly to Google. While certainly commendable, it is also worth mentioning that Google is doing a solid job keeping its app repository clean, as it is. The majority of Android-based malware is usually downloaded from third-party app stores, shady websites, or through social media advertising.

Most of the time, Android malware can be identified by the permissions it asks for. Usually, this type of malware will ask for Accessibility permissions, which are primarily built to simplify use for people with different disabilities. Accessibility permissions are designed for apps that can read the contents on the screen, turn it to audio, and similar.

However, malicious apps with the same permissions can tap on things, which can lead to data loss and even wire fraud.

“The Android accessibility service is widely abused by malware to conduct on-device monetization fraud,” the researchers explained in the whitepaper. “Existing mitigation techniques focus on malware detection but overlook providing users evidence of abuses that have already occurred and notifying victims to facilitate defenses. We developed DVa, a malware analysis pipeline based on dynamic victim-guided execution and abuse-vector-guided symbolic analysis, to help investigators uncover malware’s targeted victims, victim-specific abuse vectors, and persistence mechanisms.”

After deploying DVa on Android devices infected with almost 10,000 malware, the researchers uncovered 215 unique victim vectors and an average of 13.9 abuse routines. The full research can be found here.

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
An Android phone being held in the hand
Google is ramping up Android security protection with new Android app safety tools
An Android phone being held in the hand
These malicious Android apps were installed over 60 million times - here's how to stay safe
In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
Google Pixel 7 Pro hands on front Hazel
The best Android antivirus apps for 2025
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
App stores are increasingly becoming a major security worry
malware
Google warns of legit VPN apps being used to infect devices with malware
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Latest in News
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
A phone showing a ChatGPT app error message
ChatGPT was down for many – here's what happened
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
More about security
Lock on Laptop Screen

Medusa ransomware is able to disable anti-malware tools, so be on your guard
hacker.jpeg

Key trusted Microsoft platform exploited to enable malware, experts warn
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
See more latest
Most Popular
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
A screenshot from Indiana Jones and the Great Circle showing Indiana Jones
Indiana Jones and the Great Circle finally gets PS5 release date and I can't wait to don the fedora and crack the whip
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Tuesday, March 25 (game #387)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Tuesday, March 25 (game #653)
Quordle on a smartphone held in a hand
Quordle hints and answers for Tuesday, March 25 (game #1156)