From now on, Android developers won’t be able to publish their apps if they fail to explain why they’re using the accessibility features designed to help make things easier for the disabled.
Accessibility services is an Android API that runs in the background and helps the disabled by carrying out certain tasks such as:
- Overlaying content
- Switching between apps
- Filling out forms
Although there are many legitimate reasons why an app would use this feature, it is also a potential cybersecurity risk, as many cybercriminals take advantage of it to gain additional rights and steal data. For example, the infamous Svpeng banking trojan does exactly that, but there are other types of Android malware as well, including the BankBot malware and the DoubleLocker ransomware.
Recently, Google finally decided to put an end to this. In a Reddit post reply, a Google official revealed that they are reviewing the policy regarding apps and accessibility services, so that the service may only ever be used for its original intended purpose.
From here on out, it will be nearly impossible to publish an app that requests the android.permission.BIND_ACCESSIBILITY_SERVICE permission without explaining why you’re including it. Developers that fail to do this, within 30 days of notice, stand to have the offending app removed from the marketplace.
Interestingly enough, this change comes at a time when Google is in the spotlight for not successfully stopping malicious apps from entering the Google Play Store. Perhaps this is Google’s way of responding, and the beginning of new cybersecurity changes?