Virtualization-based Penetration Testing Study for Detecting Accessibility Abuse Vulnerabilities in Banking Apps in East and Southeast Asia

Android banking applications have revolutionized financial management by allowing users to perform various financial activities through mobile devices. However, this convenience has attracted cybercriminals who exploit security vulnerabilities to access sensitive financial data. FjordPhantom, a malware identified by our industry collaborator, uses virtualization and hooking to bypass the detection of malicious accessibility services, allowing it to conduct keylogging, screen scraping, and unauthorized data access. This malware primarily affects banking and finance apps across East and Southeast Asia region where our industry partner’s clients are primarily based in. It requires users to be deceived into installing a secondary malicious component and activating a malicious accessibility service. In our study, we conducted an empirical study on the susceptibility of banking apps in the region to FjordPhantom, analyzed the effectiveness of protective measures currently implemented in those apps, and discussed ways to detect and prevent such attacks by identifying and mitigating the vulnerabilities exploited by this malware.

💡 Research Summary

The paper investigates a newly observed class of attacks on Android banking applications in East and Southeast Asia that exploit accessibility services through a malware family called FjordPhantom. FjordPhantom operates in two stages: first, it deceives users into installing a benign‑looking component that hosts a virtualization container; second, it loads the target banking app inside this container, uses a Java API‑hooking framework to bypass the app’s runtime checks for malicious accessibility services, and then activates a malicious accessibility service with broad permissions. This enables keylogging, screen scraping, auto‑clicking, and other data‑exfiltration techniques without modifying the original APK, thereby evading anti‑tampering mechanisms.

To assess the prevalence of this vulnerability, the authors selected 83 banking apps from seven countries (Singapore, Indonesia, Thailand, Hong Kong, Malaysia, Japan, and Korea) representing over 405 million cumulative downloads. They performed static analysis with APKiD to detect Runtime Application Self‑Protection (RASP) solutions—packers, protectors, obfuscators—and hardening measures such as anti‑VM, anti‑debugging, and anti‑disassembly. The majority of apps (80/83) employed anti‑VM, but only 9 % used protector‑type RASP.

The core of the study is an automated penetration‑testing pipeline. For each app the system (1) downloads the APK from Google Play, (2) extracts it via ADB, (3) repackages it with FjordPhantom’s virtualization wrapper and hooks, (4) runs the original app to verify stable execution, and (5) runs the repackaged version in a controlled environment. If the original runs without crash but the virtualized version continues running (i.e., does not crash), the app is deemed vulnerable to accessibility‑abuse attacks. This methodology respects privacy and ethical constraints by limiting the test to a local device and avoiding any real user data.

Results show that 36 of the 83 apps (43 %) are vulnerable, exposing roughly 225 million Android users in the region. Vulnerability rates vary by country: Singapore (75 %), Indonesia (57.9 %), Thailand (57.1 %) are the most exposed, while Japan (15.4 %) and Korea (12.5 %) exhibit stronger defenses. Analysis of hardening measures reveals that anti‑VM, despite being widely deployed, does not prevent FjordPhantom because the malware itself runs a virtual environment. Anti‑disassembly correlates with resistance (78 % of such apps are safe), suggesting static code obfuscation still offers value even when the attack does not rely on static code modification. Protector‑type RASP solutions, though rare, are highly effective (75 % resistance).

The authors discuss the limitations of current Android security frameworks (SafetyNet, Play Services) and RASP in detecting virtualization‑based attacks. They propose future work in three areas: (1) runtime integrity checks that can detect foreign virtualization containers and API hooks, (2) UI/UX mechanisms that require explicit multi‑factor confirmation before enabling accessibility services, and (3) development‑time hardening practices that minimize accessibility permissions and enforce dynamic verification of service activation. They also recommend that Google Play implement automated detection of apps that embed virtualization wrappers, and that banking institutions adopt standardized guidelines for accessibility‑service usage.

In conclusion, the study provides the first empirical evidence that accessibility‑service abuse via virtualization is a significant threat to banking apps in the targeted region, highlights the partial effectiveness of existing hardening techniques, and outlines a roadmap for more robust defenses against this emerging attack vector.