Android is a well-designed, simple operating system created to be secure and easy to use. However, like any complex operating system, it naturally comes with features intended for usability that may put smartphones or tablets at serious risk of infection.

Today, we are going to look into a feature that is worth caution or could be regarded as the most dangerous of all. We will also explore practices we can follow to minimize the risks.

Accessibility

Accessibility is a powerful Android feature (Settings → Accessibility) originally designed for people with impairments. It enables them to interact with devices by:

• Control phone through voice commands

• Read screen through screen reading

It is important to note that for those with impairments, these features are not just a convenience but essential. However, the nature of Accessibility’s modus operandi violates the principle of strict isolation, i.e., an app can listen to and control everything going on within the Android operating system.

Non-Accessibility Apps

Several types of apps use accessibility services for purposes that extend beyond the original intention of aiding users with disabilities. These non-accessibility uses often involve enhancing functionality or providing convenience features. Here are some common app types that use accessibility services for non-accessibility purposes::

• Automation Apps

  • Ex : Automate, MacroDroid

• Password Managers

  • LastPass, 1Password

• Screen Capture & Recording Apps

  • DU Recorder

• Overlay & Floating Apps

  • Bubble Cloud Widgets

• Anti-Theft & Security Apps

  • Cerberus

Risks

As with any feature, Accessibility can be weaponized by malicious apps. These apps can request the above permissions under the guise of Accessibility and perform malicious activities such as

• Gathering your passwords

• Reading your OTP tokens

• Reading private/sensitive information

• So on , so forth..

In short, an application using Accessibility can see everything happening on the Android device’s screen. It also has the capability to perform any action on the user’s behalf.

Mitigation

Google has implemented several mitigation measures to enhance the security and privacy of Accessibility services on Android devices.

• Permission Transparency

  • User Consent : Apps must explicitly request permission to enable accessibility services

  • Permission Review : Users can review and manage accessibility permissions to apps

• Play Store Policies :

  • Strict Guidelines : Google Play Store enforces strict guidelines for apps requesting accessibility permissions. Developers need to provide valid justification for using these services. Apps that misuses these services will be removed from the store

What Can We Do ?

We can protect ourselves from the abuses of Accessibility feature by following these practices:

• Beware of apps requesting access to Accessibility features.

• Always install apps from official stores.

• Regularly review your Accessibility permissions.

Reviewing Accessibility Permissions

1. Go to “Settings —> Accessibility “ in your Android Phone.

2. Click “Installed Apps”.

3. Confirm permissions for the apps “On/Off” is as per to your intent.

References

[1] Android Most Dangerous Features

[2] Restricted Setting In Android 13 and 14

[3] Risk Of Accessibility Permission In Android Devices

[4] Google Removes Play Store Apps Misusing Accessibility Services