With the arrival of Android 13 later in 2022, Google will clamp down on spammy sideloaded apps that abuse accessibility APIs. For the unaware, accessibility APIs allow developers to offer assistive features such as screen readers and read-aloud functions to help users with hearing or visual disabilities. However, bad actors have exploited Android’s accessibility privilege to seed malware and execute other serious nuisances. Take for example the MysteryBot malware, which secretly monitored touchscreen input for keylogging, allowing it to record keystrokes in sensitive scenarios such as login pages.

Malicious apps can also present a fake HTML overlay that looks like a legitimate login screen for a targeted app in order to steal authentication credentials. The Flubot malware, which made waves in 2021, sent SMSes to victims with a link to download an app that abused the accessibility access to steal login credentials of banking and cryptocurrency apps. Google has tried to curb the unnecessary use of accessibility APIs by apps listed on the Play Store, but when it comes to apps downloaded from third-party repositories, they have proved to be an Achilles' heel for the OS.

Related: Insidious New Android Malware Steals Data And Wipes Your Phone Clean

That is about to change with Android 13. Following the release of Android 13’s first public beta, Esper’s Mishaal Rahman dug into the updated app settings and found a native system that restricts accessibility APIs for sideloaded apps. Android has allowed users to manually enable accessibility access for certain apps, but the upcoming OS update might disable that manual toggle. Instead, users will see an error message that says “for your security, this setting is currently unavailable” if they try to grant accessibility access to an app downloaded from sources other than the Play Store.

Clamping Down On Accessibility Privileges

Android 13 accessibility settings
Credit: Esper

Google comprehensively vets apps listed on the Play Store that require the use of accessibility features, but that safety protocol is not implemented for apps that are downloaded as an APK file from the web. Google is not going to enable the limitation for all sideloaded apps though, as the company is only targeting applications downloaded from shady and less legitimate sources. It is unclear if there’s an internal database that categorizes third-party app repositories as legitimate or risky, but there’s one parameter that will come in handy at making the judgment. And that parameter is the session-based package installation API. Rahman notes that “this installation method is usually used by app stores to provide a more seamless experience.”

Apps that require accessibility processes but have been installed from a source that does not implement the session-based package installation system will have the accessibility privilege disabled by default. In a nutshell, users won’t be able to grant accessibility privileges to shady sideloaded apps, even if they want to. The scrutiny begins with the Files by Google app, which analyses whether an app’s APK package falls in line with the session-based package installation guidelines. Once implemented in Android 13, malicious apps seeded via a suspicious webpage or SMS link will have their accessibility freedom curtailed, preventing them from performing harmful tasks like stealing sensitive information.

Next: How To Turn Off GPS On Android & Keep Your Location A Secret

Source: Esper