Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Google to Ban Android Apps Misusing Accessibility Service

Following an increase in Android malware and adware that abuse accessibility services, Google has decided to take action against all apps that misuse the feature.

Following an increase in Android malware and adware that abuse accessibility services, Google has decided to take action against all apps that misuse the feature.

Much of the adware and malware that makes it onto the Google Play store abuses the BIND_ACCESSIBILITY_SERVICE permission. The permission is designed to allow apps to assist users with disabilities, but malware developers have found ways to misuse it in order to obtain device administrator privileges and conduct other malicious activities without raising suspicion.

One example is TOASTAMIGO, a piece of malware that exploits a recently patched vulnerability affecting the Toast feature in Android.

In an effort to prevent abuse, Google has decided that accessibility services should only be used to help people with disabilities. The tech giant has started contacting developers whose applications use the BIND_ACCESSIBILITY_SERVICE permission and informed them of the steps they need to take.

Developers who use the aforementioned permission to help people with disabilities must clearly state this in the app’s description on Google Play, and they must describe the functionality provided by the Accessibility Service permission. All other developers will have to remove the permission from their products within 30 days or risk having it pulled from the official app store.

“Alternatively, you can choose to unpublish the app,” Google told developers. “All violations are tracked. Serious or repeated violations of any nature will result in the termination of your developer account, and investigation and possible termination of related Google accounts.”

Many users and developers have raised concerns regarding Google’s decision, pointing out that legitimate apps often use the Accessibility Service as a workaround for features that otherwise might be difficult or impossible to implement.

Popular applications such as the LastPass password manager are set to lose important functionality if Google moves forward with its decision. There is also a lot of concern regarding the automation app Tasker, which is not specifically designed for individuals with disabilities, but which appears to be of great aid to some people with Parkinson’s disease and Asperger syndrome.

Some have offered advice on how app developers may be able to bypass the new restrictions, and shared thoughts on what alternative routes Google could take to prevent abuse while allowing legitimate apps to continue using the service.

Related: Millions Download “ExpensiveWall” Malware via Google Play

Related: Judy Adware Infects Dozens of Google Play Apps

Related: Android Malware ‘Dvmap’ Delivered via Google Play

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.