Android security: Google cracks down on apps that want to use accessibility services

Measure would prevent feature designed for aiding disabled users from being abused by malicious apps -- but could force changes for popular apps, too.
Written by Danny Palmer, Senior Writer

Video: Quality over popularity - Google Play changes how it ranks apps

Google has told Android developers that they won't be able to publish their applications on the Google Play store if the app uses accessibility services for anything other than its intended purpose.

Officially, accessibility services is an Android API designed to help people with disabilities use their smartphone by running in the background and aiding the user by carrying out tasks such as automatically filling out forms, overlaying content or switching between applications.

Many popular legitimate apps use the API to legitimately provide all users with benefits, but accessibility services are also exploited by cybercriminals in order to gain additional permissions for their malicious apps.

For example, the Svpeng banking Trojan abuses the feature to steal text entered into the phone's apps, open URLs and read text messages and to grant itself additional rights. DoubleLocker ransomware and BankBot malware are also among those which exploit accessibility services to compromise Android devices.

Google now appears to be looking to put a stop to applications which don't use the accessibility services feature for the original nature in which it was intended.

In an email sent to an app developer and posted to Reddit, Google said it is reviewing the permissions policy regarding apps and accessibility services.

"Apps requesting accessibility services should only be used to help users with disabilities use Android devices and apps. Your app must comply with our Permissions policy and the Prominent Disclosure requirements of our User Data policy," said the message.

"If you aren't already doing so, you must explain to users how your app is using the 'android.permission.BIND_ACCESSIBILITY_SERVICE' to help users with disabilities use Android devices and apps. Apps that fail to meet this requirement within 30 days may be removed from Google Play," it adds.

See also: Can Google win its battle with Android malware?

Failure to explain why an app needs the use of the accessibility services API could potentially see apps removed from the Google Play store. However, some have criticised Google's message as being too vague and not helpful to developers or users.

If the new policy is a means of trying to protect users, it comes as Google has been criticised for repeatedly failing to stop fake and malicious apps from getting into the official Android marketplace.

ZDNet contacted Google for clarification, but hadn't received a response at the time of publishing.


Google wants to change the permissions of certain apps in the Play Store.

Image: iStock

Previous and related coverage

Android security: Google patches dozens of dangerous bugs, including some in Oreo

Pixel and Nexus owners will get the September Android patch as part of the Android 8.0 Oreo rollout.

BankBot Android malware sneaks into the Google Play Store - for the third time

More embarrassment for Google, as bank-data stealing malware infiltrates official Android app marketplace once again.

Interview questions: Android developer [Tech Pro Research]

This set of interview questions will help your HR department identify the best candidates to fill the position of Android developer.


Editorial standards