In Android 13, Google is cracking down on malware that uses Accessibility APIs
Malware has been an issue on Android for a long time, and one of the most prominent vectors of attack is through the accessibility services on a user’s phone. Accessibility APIs are powerful tools intended for developers to help aid users with disabilities, as they can read the screen, inject inputs, and more. Unfortunately, that also makes them ripe for abuse, with malware such as FluBot tricking users into enabling those APIs for malicious apps that in turn, cannot be uninstalled. This is changing in Android 13, as Google will prevent apps sideloaded from outside an app store from being granted those permissions.
As initially reported by Esper, Google will prevent apps sideloaded from outside of an app store from accessing accessibility APIs. Accessibility APIs are necessary for users with disabilities, but they also have an incredible amount of control over the device. That’s why it’s required by the user to manually enable the service per app, but some users can be tricked into enabling it if they don’t know what they’re doing. As a result, this change from Google will prevent users entirely from enabling it for apps downloaded through your browser or a text messaging app.
Google has struggled for a long time with how to handle apps that make use of accessibility services. In 2017, Google threatened to remove apps from the Google Play Store that made use of accessibility APIs for anything that wasn’t for assisting disabled users. While the company eventually backed off, Google updated its policies in 2021. Now, developers who want to make use of accessibility services in an app for reasons other than helping disabled users that targets Android 12 or higher must get approval from Google Play after completing a permission declaration form.
Now, though, things are changing again in Android 13. Any app sideloaded from outside of an app store will not be able to have its accessibility services enabled. When tapping the option to enable it, your phone will display a pop-up stating “For your security, this setting is currently unavailable”. While at first, this may seem alarming for other app stores, Google confirmed to Esper that this change would not affect pre-loaded or side-loaded app stores, and it was just to restrict apps downloaded from less legitimate sources.
In short, you’ll have no problem with enabling the accessibility service for a sideloaded app that was installed via the session-based package installation API. This installation method is typically used by third-party app stores. As for apps that use the non-session package installation API, those will be restricted. It’s an easier method for developers to implement as the installation can just be handed off to the system package installer, and this is how texting apps, mail clients, and browsers handle APK installation. If you want to learn more about the technical details of this implementation, then be sure to check out Esper‘s complete write-up.