Hack Demo Videos:

Hacking Android Through Accessibility Events: A how-to video

19 Sep 2014

Hello and welcome to the security kitchen. My name is Dave and I’m here to show you how we can use Android accessibility events to steal a PIN from a locked device.

To set the scene we’d first socially engineer our target to install one of our rogue applications from Google Play. It’s going to log everything that the device doe and allow us to view that information. I’ve installed it by hand, here, just to speed things up.

In accessibility settings I need to find silly voice (the talk back function). Now I’ll enable this, and when I enable it I get a warning saying that it can collect all the data that I type, except for passwords.

Little does it know though that in the background we are now logging lots of little things, thanks to our rough app. So I’ll just lock the tablet screen and then unlock it. You can see me type in the PIN code now, and if we look at the screen we can see 1337.

To deal with this sort of problem be sure that you are happy with the permissions that any given setting allows, and avoid downloading suspicious apps.