Google Begins Removing Play Store Apps Misusing Android Accessibility Services
Google has emailed Android app developers informing them that within 30 days, they must show how accessibility code used in their apps is helping disabled users or their apps will be removed from its Play Store entirely.
Many popular Android apps use the accessibility API to legitimately provide users with benefits, but over the past few months, we have seen a series of malware, including DoubleLocker ransomware, Svpeng, and BankBot, misusing this feature to infect people.
Researchers have even discovered an attack, Cloak and Dagger, that could allow hackers to silently take full control of the infected devices and steal private data.
This feature that lets malicious apps hijack a device’s screen has become one of the most widely exploited methods used by cybercriminals and hackers to trick unwitting Android users into falling victims for malware and phishing scams.
Google planned to resolve this issue with the release of its Android Oreo, but the new Android OS launched without changes in policy related to Accessibility services.
“If you aren’t already doing so, you must explain to users how your app is using the [accessibility feature] to help users with disabilities use Android devices and apps,” part of the email sent out to developers reads.
“Apps that fail to meet this requirement within 30 days may be removed from Google Play. Alternatively, you can remove any requests for accessibility services within your app. You can also choose to unpublish your app.”
An active thread on Reddit where developers and app users are complaining about this change suggests that this new move will also affect popular and legitimate apps like LastPass, Tasker, and Universal Copy that use accessibility feature for key features and not intended for disabled users.
Although 30 days is a short period of time for app developers to find workarounds, the developer of Tasker suggested an alternative way to replace the accessibility services with different code.
“I plan to replace app detection with usage stats API,” Tasker’s developers suggested their plans to proceed. “Unfortunately, this API started with API 21, so people using Tasker on a pre-Lollipop device won’t be able to use app contexts anymore.”
This new move will prevent abuse of the API that poses a potential security threat to Android users, but legitimate app developers have only 30 days to search for an alternative before their apps get kicked out of Play Store.