A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.
Input Injection can be achieved using any of the following methods:
GLOBAL_ACTION_BACK(programatically mimicking a physical back button press), to trigger actions on behalf of the user.
Riltok injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen.
Applications that register an accessibility service should be scrutinized further for malicious behavior.
An EMM/MDM can use the Android
Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission.
Users can view applications that have registered accessibility services in the accessibility menu within the device settings.