Google limits Android accessibility API to curb malware abuse
Google is restricting how Android apps can use accessibility features after years of abuse by banking Trojans and mobile malware.
The changes, introduced in Android 17.2, limit access to the accessibility API when Advanced Protection Mode (APM) is enabled. Apps that do not serve a core accessibility function can no longer use these services, closing off a common attack vector.
Accessibility API abuse remains a key threat vector
The accessibility API allows apps to read screen content, control user input, and interact with other applications. These capabilities support assistive technologies such as screen readers, Braille displays, and voice controls.
Malware developers have used the same features to gain access to sensitive data. Banking Trojans can intercept two-factor authentication codes, capture credentials, and perform transactions without user knowledge. Attackers also use overlay techniques to mimic legitimate apps and record user input.
“The number of malware frameworks taking advantage of the accessibility API has grown. DroidLock uses it to steal your personal data before demanding a ransom. Albiriox uses it to install itself and give remote control to attackers halfway around the world,” Danny Bradbury wrote in a blog.
A recent example observed by Malwarebytes researcher Stefan Dasic involved malware posing as a Google security page while abusing accessibility services.
Android tightens controls on accessibility API usage
Google has attempted to limit misuse of the API for several years. In 2017, the company required developers to justify their use of accessibility features or face removal from the Play Store. In 2021, it introduced permission declarations for apps targeting Android 12 and later.
Under the updated rules, apps can no longer freely enable accessibility services through software flags. Only apps built specifically for accessibility purposes are allowed to use the API. Password managers and automation tools are excluded from access when APM is enabled.
APM also restricts app installation to trusted sources and limits data transfers over USB. These measures reduce the attack surface but may affect app functionality.