Google Enforces Strict Accessibility API Controls in Android 17.2, Blocking Banking Trojans
What Happened – Google released Android 17.2, adding a rule that blocks any app from enabling the Accessibility Service when Advanced Protection Mode (APM) is active, unless the app’s primary purpose is an accessibility‑focused function. The change targets malicious apps that have long abused the Accessibility API to steal credentials, intercept 2FA codes, and automate fraudulent transactions.
Why It Matters for TPRM –
- Reduces the attack surface for credential‑stealing malware that often infiltrates third‑party mobile apps.
- Forces app vendors to justify legitimate accessibility usage, improving supply‑chain hygiene.
- Impacts risk assessments for any third‑party mobile applications that handle financial or personal data.
Who Is Affected – Financial services (banking, crypto), mobile app developers, enterprise MDM providers, and end‑users of Android devices with APM enabled.
Recommended Actions – Review all third‑party Android apps used within your organization for Accessibility Service usage; verify that any such usage is documented and justified; enforce device policies that enable APM where feasible; update mobile security controls to monitor for unauthorized accessibility requests.
Technical Notes – The restriction is enforced at the OS level; apps can no longer enable the Accessibility Service via a simple flag. Only apps whose core purpose is screen reading, voice control, switch input, or Braille support are permitted. Abuse techniques previously seen include fake overlay screens and permission abuse to capture 2FA codes. Source: Malwarebytes Labs