Google has told Android developers that they won’t be able to publish their applications on the Google Play store if the app uses accessibility services for anything other than its intended purpose.
Officially, accessibility services is an Android API designed to help people with disabilities use their smartphone by running in the background and aiding the user by carrying out tasks such as automatically filling out forms, overlaying content or switching between applications.
Many popular legitimate apps use the API to legitimately provide all users with benefits, but accessibility services are also exploited by cybercriminals in order to gain additional permissions for their malicious apps.
For example, the Svpeng banking Trojan abuses the feature to steal text entered into the phone’s apps, open URLs and read text messages and to grant itself additional rights. DoubleLocker ransomware and BankBot malware are also among those which exploit accessibility services to compromise Android devices.
Google now appears to be looking to put a stop to applications which don’t use the accessibility services feature for the original nature in which it was intended.
In an email sent to an app developer and posted to Reddit, Google said it is reviewing the permissions policy regarding apps and accessibility services.
“Apps requesting accessibility services should only be used to help users with disabilities use Android devices and apps. Your app must comply with our Permissions policy and the Prominent Disclosure requirements of our User Data policy,” said the message.
“If you aren’t already doing so, you must explain to users how your app is using the ‘android.permission.BIND_ACCESSIBILITY_SERVICE’ to help users with disabilities use Android devices and apps. Apps that fail to meet this requirement within 30 days may be removed from Google Play,” it adds.