Android’s recent API modifications have hampered some malware’s ability to determine which application is currently running in the foreground of a device at any given point of time. As Android begins to successfully block this attack method, attackers may adopt a trick used by adware so that their threats can work again.
Though we have previously seen mobile potentially unwanted applications (PUAs) abuse accessibility services to install arbitrary applications, we believe financial malware could use the same technique to circumvent a significant security improvement specifically created to thwart this kind of threat.
