Android app developers received an email from Google informing them regarding the plans of removing all apps that misuse the Accessibility from the Google Play Store.
The Android Accessibility service is an Android API created to help app developers in creating apps for users with disabilities. The Android Accessibility service works in allowing an application have a programmatic access over actions which in normal circumstance, requires a user’s physical interaction. For instance, the Accessibility Service can copy the taps and swipes on the User Interface elements to navigate users into different screens. It is definitely a useful and powerful feature which hasn’t skipped cyber crooks’ attention and even slid them into their malicious apps. Malicious apps have always relied on tricking users into giving them access to the Accessibility Service – this isn’t news as it has been happening for years now. After these crooks obtain access and gain necessary permissions, it’s certainly game over as it allows the malware to install itself on the compromised device as the device admin. Aside from that, it can also download and install additional malware so it can execute various operations in the infected device’s background.
Accessibility services are usually found in banking Trojans, mobile ransomware strains, adware, click-fraud bots and other kinds of malware. It has been used by many malware like the Cloak & Dagger or the Toast Overlay Attack and they greatly rely on it to execute their attack on the targeted device.
Here is the email Google sent out last week:
“We’re contacting you because your app, BatterySaver System Shortcut, with package name com.floriandraschbacher.batterysaver.free is requesting the ‘android.permission.BIND_ACCESSIBILITY_SE Apps requesting accessibility services should only be used to help users with disabilities use Android devices and apps. Your app must comply with our Permissions policy and the Prominent Disclosure requirements of our User Data policy.
Action required : If you aren’t already doing so, you must explain to users how your app is using the ‘android.permission.BIND_ACCESSIBILITY_SE to help users with disabilities use Android devices and apps. Apps that fail to meet this requirement within 30 days may be removed from Google Play. Alternatively, you can remove any requests for accessibility services within your app. You can also choose to unpublish your app.
[…]
Alternatively, you can choose to unpublish the app. All violations are tracked. Serious or repeated violations of any nature will result in the termination of your developer account, and investigation and possible termination of related Google accounts.
If you’ve reviewed the policy and feel we may have been in error, please reach out to our policy support team. One of my colleagues will get back to you within 2 business days.
Regards,
The Google Play Review Team”
As you can see, Google plans to get rid of all apps that utilize the Accessibility service from the Google Play Store unless it is actually being used to power a feature for users with disabilities. All app developers are expected to display a visible explainer, telling users how and why they are using that service and that the app developers must also disclose on the app’s Play Store page that they use this service by adding “This app uses Accessibility services” to the description of the app.
Developers are given 30 days to comply with Google’s demands and to update their apps. And for those who can’t update their apps in the given period of time, they will be asked by Google to remove their apps from Google Play Store by themselves.
Google is hoping that with this new requirement, banking Trojans and other kinds of malware will find it hard to slip into the Google Play Store. The only downside to this new requirement which is only given 30 days to be implemented is that within this given time, Google will also eliminate hundreds of apps in the process, if not thousands of apps that use Accessibility service in a non-malicious but rather creative way instead. This includes the battery “doctor” apps, some sort of password manager, phone key remapping apps, status bar replacement and so much more.
Furthermore, it would also change and affect the distribution of malware from the Google Play Store and any apps installed via third party store won’t be affected – because of this, cyber crooks will just focus on distributing their apps through third party store distribution, or try out other methods to abuse the Google Play Store or even ask permission from the Accessibility service in ways that won’t catch Google’s eye.