With the first official beta out, Google has already started revealing what Android 13 will be all about. One big new change in the upcoming smartphone OS is that sideloaded apps will now be restricted from using Android’s Accessibility API and, by extension, any accessibility features.
Android DevOps solutions company Esper noticed this restriction earlier this week while also summarising how Android’s accessibility API has been misused over the years and has even become something of a security threat due to several malicious apps using it to take over the device.
However, there is still a caveat to this restriction. It won’t apply to any apps downloaded from third-party app stores like Amazon or F-Droid. The new setting only applies to APK files as Google focuses on restricting access for apps coming from seemingly less legitimate sources.
Additionally, users can override this restriction by using a hidden setting in the app details page, allowing users to authenticate their identity and let the sideloaded app access these previously restricted features.
Since the Accessibility API has a lot deeper control over the device, Android requires users to manually enable accessibility services through device settings while also warning the user that doing so will give the app complete control of the device, including viewing and controlling the screen as well as taking action of the user’s behalf.
Malware developers take advantage of this by tricking users into enabling accessibility services and then taking over the device. Trojans like SharkBot, Xenomorph, BianLian, S.O.V.A, Vultur, TeaBot FluBot and PixStealer all exploit the Accessibility API to get unfiltered access to the victim’s device.
Google has always encouraged developers to build apps with accessibility in mind; however, that’s not the same thing as having to use the API. The company has also tried to crack down on developers using the API for anything other than actual accessibility features but hasn’t taken any concrete action yet.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.