A team of cybersecurity experts at Georgia Tech has unveiled a powerful new tool designed to detect and help users remove a class of malware that hijacks smartphone accessibility features.
The tool, known as Detector of Victim-specific Accessibility (DVa), was developed in response to the growing misuse of accessibility services—originally intended to support users with disabilities—by malicious software.
Accessibility features such as screen readers and voice-to-text functions have made smartphones more inclusive for people with visual, auditory, or motor impairments. However, these same tools can be manipulated by malware to perform unauthorized actions like tapping buttons, reading sensitive information, or approving transactions without the user's consent.
In some cases, malware can even block a user's attempt to uninstall it, leading to persistent infections and potential financial loss, particularly when it gains access to banking apps or cryptocurrency wallets.
"These attacks can happen silently and quickly," said Brendan Saltaformaggio, Associate Professor in Georgia Tech’s School of Cybersecurity and Privacy. "As we continue to design systems that are more accessible, we also need security experts in the room—because if we don’t, they’re going to get abused by hackers."
DVa runs a cloud-based scan of a user's device to identify malicious applications that exploit accessibility permissions. It then generates a report that tells users:
Which apps are infected
How to safely remove them
Which legitimate apps were being targeted (e.g., banking or rideshare apps)
How to contact the affected companies for possible assistance
The tool also forwards a copy of this report to Google, enabling the tech giant to flag and potentially remove the harmful apps from its Play Store.
To evaluate the danger, the researchers installed sample malware on five Google Pixel phones and monitored how the infections affected the system. Partnering with Netskope, a cloud and network security firm, the team used DVa to analyze and report the malware’s actions, demonstrating the tool’s real-world capabilities.
While DVa marks a breakthrough in tackling this specific threat, the team acknowledges the delicate balance between ensuring user safety and maintaining necessary accessibility.
“It’s not just about removing the malware,” said Saltaformaggio. “It’s about making sure we don’t remove accessibility in the process.”
COMMENTS
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ