Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google to Ban Android Apps Misusing Accessibility Service

Following an increase in Android malware and adware that abuse accessibility services, Google has decided to take action against all apps that misuse the feature.

Following an increase in Android malware and adware that abuse accessibility services, Google has decided to take action against all apps that misuse the feature.

Much of the adware and malware that makes it onto the Google Play store abuses the BIND_ACCESSIBILITY_SERVICE permission. The permission is designed to allow apps to assist users with disabilities, but malware developers have found ways to misuse it in order to obtain device administrator privileges and conduct other malicious activities without raising suspicion.

One example is TOASTAMIGO, a piece of malware that exploits a recently patched vulnerability affecting the Toast feature in Android.

In an effort to prevent abuse, Google has decided that accessibility services should only be used to help people with disabilities. The tech giant has started contacting developers whose applications use the BIND_ACCESSIBILITY_SERVICE permission and informed them of the steps they need to take.

Developers who use the aforementioned permission to help people with disabilities must clearly state this in the app’s description on Google Play, and they must describe the functionality provided by the Accessibility Service permission. All other developers will have to remove the permission from their products within 30 days or risk having it pulled from the official app store.

“Alternatively, you can choose to unpublish the app,” Google told developers. “All violations are tracked. Serious or repeated violations of any nature will result in the termination of your developer account, and investigation and possible termination of related Google accounts.”

Many users and developers have raised concerns regarding Google’s decision, pointing out that legitimate apps often use the Accessibility Service as a workaround for features that otherwise might be difficult or impossible to implement.

Popular applications such as the LastPass password manager are set to lose important functionality if Google moves forward with its decision. There is also a lot of concern regarding the automation app Tasker, which is not specifically designed for individuals with disabilities, but which appears to be of great aid to some people with Parkinson’s disease and Asperger syndrome.

Advertisement. Scroll to continue reading.

Some have offered advice on how app developers may be able to bypass the new restrictions, and shared thoughts on what alternative routes Google could take to prevent abuse while allowing legitimate apps to continue using the service.

Related: Millions Download “ExpensiveWall” Malware via Google Play

Related: Judy Adware Infects Dozens of Google Play Apps

Related: Android Malware ‘Dvmap’ Delivered via Google Play

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Checkmarx has appointed Scott Gainey as Chief Marketing Officer.

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.