Google will remove apps that misuse Android Accessibility Services from Google Play

Android app developers whose offerings implement Accessibility Services for reasons other that helping users with disabilities use their apps have less then 30 days to switch to other methods, or risk their apps being removed from Google Play and their developer account terminated.

Google has yet to say explicitly why they are making this move, but it’s believed that it’s a measure meant to stymie malware developers.

Announced change

The Google Play Review Team has begun mailing app developers, telling them about the change, and requesting they find a way to work around it or, if they can’t, to consider removing the app(s) from Google Play:

Email received by a developer

This change might be a big problem for developers whose apps rely on using android.permission.BIND_ACCESSIBILITY_SERVICE to provide easy functionality.

The LastPass Android app, for example, uses it to auto-fill logins in other Android apps. Popular automation/productivity app Tasker and battery-saving app Greenify are two more examples.

Android Accessibility Services misuse

Accessibility Services are meant to help users with disabilities (physical, visual, or age-related) use their device, and therefore have full access to the contents of the interfaces that a user interacts with.

Unfortunately, they can be misused by developers of mobile malware to do things like activate device administrator rights and set itself as the default Home application, interact with the graphic interface (for example, simulate user actions in dialogs) and intercept the information entered by the victim, lay windows over other windows and apps running on the device, etc.

Adware makers were first to misuse Android’s Accessibility Service, and malware authors began doing the same after the majority of Android users switched to Android 5.0 (Lollipop) and later. Before Lollipop, they were using the getRunningTasks() API to steal information, but Google made it impossible for third-party apps to use it.

The potential for misuse of the BIND_ACCESSIBILITY_SERVICE (aka “a11y”) permissions as also been noted earlier this year by researchers from Georgia Tech and the University of California, Santa Barbara.