T1453: Abuse Accessibility Features
Adversaries may abuse accessibility features in Android devices to steal sensitive data and to spread malware to other devices. Accessibility features in Android are designed to assist users with disabilities, performing a variety of tasks, such as using Action Blocks to control lightbulbs, and changing the device’s user interface, such as changing the font size and adjusting contract or colors.[1]
One example of how adversaries abuse accessibility features is overlaying an HTML object mimicking a legitimate login screen. The user types their credentials in the overlay HTML object, which is then sent to the adversaries.[2]
Another example is a malicious accessibility feature acting as a keylogger. The keylogger monitors changes on the EditText fields and sends it to the adversaries.[2] This method of attack is also described in Keylogging; whereas Abuse Accessibility Features captures the overall abuse of accessibility features.
Analyst context for executives and security teams
Abuse Accessibility Features matters because Android accessibility services can give an app powerful visibility into what a user sees and types. In the ATT&CK description, adversaries use this to capture credentials through fake login overlays or keylogging-like monitoring of text fields. For organizations with Android users, this is an identity and fraud risk as much as a mobile malware issue: a single approved-looking prompt can expose credentials, banking or wallet access, and sensitive data.
Executive priority
Treat this as a mobile identity-risk control question: do we know which Android devices can grant accessibility access, which apps have it enabled, and whether users understand when not to approve it? Priority is higher for workforces using Android for email, MFA, banking, cryptocurrency, executive communications, or regulated data access. The supplied ATT&CK relationships show multiple Android malware families using this behavior, so leaders should ask for evidence of mobile visibility and user guidance rather than assuming endpoint controls cover it.
Technical view
This technique is scoped to Android. ATT&CK provides no official detection text for T1453, but it does link a detection strategy, DET0697: Detection of Abuse Accessibility Features. SOC and mobile security teams should validate whether they can observe accessibility service enablement, suspicious accessibility permission requests, newly installed apps requesting accessibility privileges, overlay-like behavior, and text-field interaction monitoring indicators where mobile telemetry supports it. Incident responders should treat unexpected accessibility access by untrusted or masquerading apps as a potential credential-theft lead and review related account activity.
Likely telemetry
- Android accessibility service configuration and enabled-service state
- Installed application/package inventory and app provenance
- Permission-request and permission-grant events for accessibility-related capabilities
- Mobile security, MDM, or EMM alerts for suspicious apps or risky configuration changes
- User reports of unexpected accessibility prompts, fake login screens, or unusual overlays
Detection direction
- Confirm whether DET0697 or an equivalent local detection strategy is implemented for Android accessibility abuse.
- Baseline legitimate accessibility-service use; false positives are likely for assistive tools and enterprise-approved accessibility applications.
- Prioritize alerts where a recently installed, untrusted, or masquerading app requests or receives accessibility access.
- Correlate accessibility enablement with credential-entry complaints, overlay reports, suspicious authentication, or mobile malware detections.
- Look for blind spots on personally owned Android devices, unmanaged devices, and devices where mobile telemetry cannot report accessibility settings.
Mitigation priorities
- Use M1011 User Guidance as the primary ATT&CK-supported mitigation: train users not to grant accessibility access to unfamiliar apps or unexpected prompts.
- Provide clear instructions for reviewing and disabling unnecessary Android accessibility services.
- Include accessibility-permission checks in mobile incident response playbooks and help desk triage.
- For managed Android fleets, verify that existing mobile management and security controls can inventory apps and risky accessibility settings before relying on them for assurance.
- Use the related malware context to prioritize awareness and validation for users with access to sensitive business, financial, or identity systems.
Analyst notes and limits
ATT&CK associates this technique with Android malware including Anubis, FluBot, Chameleon, CherryBlos, GodFather, Crocodilus, DocSwap, and VajraSpy. The object highlights credential overlays and keylogging-like monitoring of EditText fields as examples, with Keylogging T1417.001 covering the narrower keylogging behavior. This take avoids inferring current exposure or active exploitation in any environment.
The supplied ATT&CK object has no official detection text and no tactics specified. Several related software descriptions are truncated in the source provided. Local conclusions require device inventory, mobile telemetry, app provenance, user population, and identity log evidence.
Abuse Accessibility Features
Adversaries may abuse accessibility features in Android devices to steal sensitive data and to spread malware to other devices. Accessibility features in Android are designed to assist users with disabilities, performing a variety of tasks, such as using Action Blocks to control lightbulbs, and changing the device’s user interface, such as changing the font size and adjusting contract or colors.[1]
One example of how adversaries abuse accessibility features is overlaying an HTML object mimicking a legitimate login screen. The user types their credentials in the overlay HTML object, which is then sent to the adversaries.[2]
Another example is a malicious accessibility feature acting as a keylogger. The keylogger monitors changes on the EditText fields and sends it to the adversaries.[2] This method of attack is also described in Keylogging; whereas Abuse Accessibility Features captures the overall abuse of accessibility features.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S1083: Chameleon
Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.[1][2]
S9006: VajraSpy
VajraSpy is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. VajraSpy is attributed with high confidence to Patchwork which has used the malware to conduct targeted espionage, primarily against devices in Pakistan.[1][2][3]
S1225: CherryBlos
CherryBlos is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. CherryBlos was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind CherryBlos uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.[1]
S0422: Anubis
S9005: DocSwap
DocSwap is an Android malware first identified in 2025, and attributed to Kimsuky. DocSwap’s name is a combination of its Korean name “문서열람 인증 앱” (Document Viewing Authentication App) and a phishing page masquerading as CoinSwap at the C2 address. Based on DocSwap’s name and Korean-language strings, DocSwap potentially targets mobile device users in South Korea. Several variants of DocSwap exist; one of the latest samples indicates that the adversary added a native decryption function that decrypts an internal APK.[1][2]
S1231: GodFather
GodFather is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, GodFather targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. [1][2]
S1067: FluBot
FluBot is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.[1][2] An international law enforcement operation of 11 countries eventually disrupted the spread of FluBot.[3]
S9004: Crocodilus
Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | ce73b1c1b9cb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Google_AndroidAcsOverview
Google. (n.d.). Android accessibility overview. Retrieved April 17, 2025.
Open source URL -
[2]
SahinSRLabs_FluBot_Dec2021
Şahin, Erdoğan Yağız. (2021, December 21). When your phone gets sick: FluBot abuses Accessibility features to steal data. Retrieved April 16, 2025.
Open source URL -
[3]
mitre-attack T1453Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.