Google has emailed Android app developers and has informed them of plans to remove all apps that misuse the Accessibility service from the Play Store.
The Android Accessibility service is an Android API designed to help app developers create apps for users with disabilities. The API works by allowing an application programmatic access over actions that in normal circumstances require user physical interaction. For example, the Accessibility Service can mimick taps and swipes on UI elements to navigate users through various screens.
This is a very powerful feature, one that malware authors also noticed and incorporated into their malicious apps. For years, these malicious apps have relied on tricking users into granting them access to the Accessibility service. Once they gained such access, it was game over, as this allowed the malware to install itself as device admin, download and install other malware, and execute various operations in the phone's background.
Accessibility services are currently often found in banking trojans, mobile ransomware strains, click-fraud bots, adware, and about any other malware category. Attacks like Cloak & Dagger and Toast Overlay Attack heavily rely on it.
In an email (embedded below) sent out last week and shared on Reddit, Google told developers that it plans to remove all apps that utilize the Accessibility service from the official Play Store unless the Accessibility service is actually being used to power a feature for users with disabilities.
Developers are expected to show a visible explainer to users with how and why they're using that service. They must also disclose on the app's Play Store page that they use this service by adding "This app uses Accessibility services" to its description.
Developers have 30 days to comply and update their apps. Developers who can't update their apps were kindly asked to remove the apps from the Play Store themselves.
Google hopes that this new requirement will make it harder for banking trojans to slip into its official Play Store.
The downside is that in 30 days Google will also kill hundreds, if not thousands of apps that use the Accessibility service in a non-malicious, but creative ways. This includes battery "doctor" apps, phone key remapping apps, some password managers, status bar replacement, and more.
In addition, this change will affect only the distribution of malware via the official Play Store. Apps installed through third-party stores are not affected.
Most Android malware groups will just shift focus to third-party store distribution, or focus on different methods to abuse the Play Store or ask for permission to the Accessibility service in ways that are not detected by Google at this time.
Image credits: James Fenn