← ClaudeAtlas

android-accessibility-pentestlisted

Android Accessibility Service security analysis and pentesting. Use this skill whenever the user mentions Android security testing, accessibility service abuse, RAT detection, malware analysis, ClayRat, PlayPraetor, overlay phishing, credential harvesting, or any Android app security assessment involving AccessibilityService APIs. This skill helps detect malicious accessibility services, analyze abuse patterns, and harden apps against accessibility-based attacks.
abelrguezr/hacktricks-skills · ★ 13 · Testing & QA · score 65
Install: claude install-skill abelrguezr/hacktricks-skills
# Android Accessibility Service Pentesting A skill for analyzing, detecting, and testing Android Accessibility Service abuse patterns in security assessments. ## When to use this skill Use this skill when: - Analyzing Android apps for malicious accessibility services - Testing for overlay phishing or credential harvesting vulnerabilities - Investigating RATs like ClayRat, PlayPraetor, SpyNote, BrasDex, SOVA, ToxicPanda - Assessing banking app security against accessibility-based attacks - Detecting on-device fraud (ODF) automation patterns - Reviewing APK manifests for suspicious accessibility configurations - Hardening apps against accessibility service abuse - Understanding Android RAT command & control workflows ## Core Concepts ### What is AccessibilityService Abuse? `AccessibilityService` was designed to help users with disabilities interact with Android devices. However, the same powerful automation APIs can be weaponized by malware to gain **complete remote control** of the handset without root privileges. **Key capabilities attackers exploit:** - Capture every UI event and text on screen - Inject synthetic gestures (`dispatchGesture`) - Perform global actions (`performGlobalAction`) - Draw full-screen overlays using `TYPE_ACCESSIBILITY_OVERLAY` (no `SYSTEM_ALERT_WINDOW` prompt!) - Silently grant additional runtime permissions by clicking system dialogs ### The Attack Recipe 1. **Social engineering** → Victim enables rogue accessibility service (requires expli