Following an increase in Android malware and adware that abuse accessibility services, Google has decided to take action against all apps that misuse the feature.
Much of the adware and malware that makes it onto the Google Play store abuses the BIND_ACCESSIBILITY_SERVICE permission. The permission is designed to allow apps to assist users with disabilities, but malware developers have found ways to misuse it in order to obtain device administrator privileges and conduct other malicious activities without raising suspicion.
One example is TOASTAMIGO, a piece of malware that exploits a recently patched vulnerability affecting the Toast feature in Android.
In an effort to prevent abuse, Google has decided that accessibility services should only be used to help people with disabilities. The tech giant has started contacting developers whose applications use the BIND_ACCESSIBILITY_SERVICE permission and informed them of the steps they need to take.
Developers who use the aforementioned permission to help people with disabilities must clearly state this in the app’s description on Google Play, and they must describe the functionality provided by the Accessibility Service permission. All other developers will have to remove the permission from their products within 30 days or risk having it pulled from the official app store.
“Alternatively, you can choose to unpublish the app,” Google told developers. “All violations are tracked. Serious or repeated violations of any nature will result in the termination of your developer account, and investigation and possible termination of related Google accounts.”
Many users and developers have raised concerns regarding Google’s decision, pointing out that legitimate apps often use the Accessibility Service as a workaround for features that otherwise might be difficult or impossible to implement.
Popular applications such as the LastPass password manager are set to lose important functionality if Google moves forward with its decision. There is also a lot of concern regarding the automation app Tasker, which is not specifically designed for individuals with disabilities, but which appears to be of great aid to some people with Parkinson’s disease and Asperger syndrome.
Some have offered advice on how app developers may be able to bypass the new restrictions, and shared thoughts on what alternative routes Google could take to prevent abuse while allowing legitimate apps to continue using the service.
Related: Millions Download “ExpensiveWall” Malware via Google Play
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
