If you’ve downloaded one of the following, you might want to check your account
Google has a lot of moving parts behind the scenes, trying to keep malware off of the Play Store. But with seven figures of apps posting and updating constantly, even it doesn’t have a perfect record. Such is the claim from a security researcher last week, which said they found ten apps with variations on a trojan horse program. The apps are fairly innocuous based on their title and description, but each is designed to scrape a user’s phone for Facebook login credentials.
Dr. Web Anti-Virus said that variations of the Trojan were detected in the following publicly available apps:
PIP Photo by developer Lillians — 5,000,000+ downloads
Processing Photo by developer chikumburahamilton — 500,000+ downloads
Rubbish Cleaner by developer SNT.rbcl — 100,000+ downloads
Horoscope Daily by developer HscopeDaily momo — 100,000+ downloads
Inwell Fitness by developer Reuben Germaine — 100,000+ downloads
App Lock Keep by developer Sheralaw Rence — 50,000+ downloads
Lockit Master by developer Enali mchicolo — 5000+ downloads=
Horoscope Pi by developer Talleyr Shauna — 1000+ downloads
App Lock Manager by developer Implummet col — 10+ downloads
The researchers alerted Google to their findings, and as of Monday morning, it looks like all the apps and developers have been removed from the Play Store. Even so, the Play Store’s basic metrics report that the apps were installed on approximately six million Android devices, on the low end. A similar app, “EditorPhotoPip,” had already been removed from the Play Store but was available on alternative download sites.
Dr. Web reports that all of the apps it found were fully functional for their advertised purpose, making them particularly effective as spyware. This serves as yet another lesson to keep your guard up, even when downloading “vetted” apps directly from Google.
Google Sends a Grim Reminder that Developers are at their Mercy
ome of the most innovative applications on the Play Store are built on using APIs in ways that Google never intended. There are apps that can remap your volume keys to skip music tracks, record and play back touch inputs on webpages or games, and even provide alternative navigation keys so you can use your device’s entire screen. All of these examples that I’ve just mention rely on Android’s Accessibility APIs. But that may soon change, as the Google Play Store team is sending out emails to developers telling them that they can no longer implement Accessibility Services unless they follow Google’s guidelines.
What is an Accessibility Service?
To understand why this is significant, we first need to explain what Accessibility is in relation to Android. In general, accessibility refers to making an Android app more accessible to users with certain disabilities such as those who are visually impaired. While it’s in every developer’s best interests to make their apps more accessible to users with disabilities, there are a special class of applications that are designed to enhance the usability of all Android apps for users with disabilities. These are called Accessibility Services.
An Accessibility Service, commonly referred to as a11y, is an app that the system can feed certain information to depending on what events the Accessibility Service registers to listen for. An app that wishes to implement an Accessibility Service must add the android.permission.BIND_ACCESSIBILITY_SERVICE permission to the AndroidManifest file so only the system can bind to the app’s service.
For example, if an Accessibility Service is built to listen for TYPE_VIEW_CLICKED events, then that service will receive information from the system about any buttons that the user might press. An Accessibility Service can also react to and consume certain gestures and KeyEvents before other apps receive them. Finally, an Accessibility Service can also inject certain KeyEvents such as the back, split-screen, or recent apps button.
Thus, Accessibility Services can be extremely powerful and useful. Several of the most popular, innovative applications on the Google Play Store rely on a11y to perform their duties. Here are just some of the few examples I came up with off the top of my head:
AutoInput– intercept KeyEvents and perform tap/swipe gestures
Button Mapper– intercept KeyEvents and remap them to other KeyEvents
Greenify– automatically hibernate apps by force closing them before the screen turns off
Inputting+– detect when the keyboard app is open to show the floating action button
Tasker – detect when apps are open so you can perform any user-defined action
Type Machine – record all text input so you will never lose any text entry
None of these applications use a11y in the way Google intended, which is to help users with disabilities. I would wager that the vast majority of applications that implement an Accessibility Service do so for functions outside of Google’s purview. But that’s the beauty of Android and APIs like Accessibility—Google usually doesn’t restrict what developers can and cannot do. That lax approach with the use of Accessibility Services appears to be changing, however, as the Google Play Store team has been sending emails to developers warning them of upcoming changes to their policy regarding a11y.
What exactly is Google doing?
The company is informing developers that if their application uses an Accessibility Service for any reason other than assisting users with disabilities, then they must remove the use of this permission within 30 days or their application will be removed from the Play Store. Failure to abide by this requirement can result in an infraction against a developer’s Play Store account, which can eventually lead to account termination.
For the few apps that do use a11y to aid users with disabilities, Google states that these developers need to simply add a prominent, user-facing disclosure of the reason behind why their app needs the permission. However, as I mentioned before Accessibility Services are used far more often in apps that would end up violating this new policy.
Full email sent to developers
Why is Google removing Accessibility Services from the Play Store?
While the use of Accessibility Services are known to cause quite a bit of lag, the real reason why Google is starting to crack down on these apps is likely related to the growing issue of exploits that take advantage of a11y. Although the apps that I mentioned above use a11y for beneficial purposes, they can easily be exploited by malicious developers for nefarious purposes. For instance, an Accessibility Service can be used to implement a keylogger, ransomware attack, or phishing exploit.
Google’s efforts in protecting users from malicious Accessibility Services have mostly revolved around disclosure. Currently, enabling an Accessibility Service that registers for certain events such as TYPE_VIEW_TEXT_CHANGED will result in a warning dialog that the app may steal your passwords. You might think that such a message would be effective in preventing users from irresponsibly granting apps a11y. However, there have been plenty of documented cases of apps tricking users into granting a11y. Some attacks go even further, such as the Cloak and Dagger exploit and Toast Message Overlay attacks which socially engineer the user into granting a11y by misrepresenting what it is they are interacting with on the screen.
Attacks such as these are effective on the vast majority of Android devices. Google has made major strides in preventing overlay or toast message attacks (as can be seen in AOSP if you search for a11y), but things have gotten to the point where Google decided they are better off restricting the use of Accessibility Services entirely. It makes sense, but it really sucks because this move will kill the functionality of a lot of innovative apps.
What can developers do?
Unfortunately, there isn’t much developers can do in response to these changes. Developers can either comply with Google’s demands by removing their Accessibility Service or face the threat of their app being removed and their account possibly being terminated. Simply adding a disclosure for why their app uses a11y would only work if their app was legitimately aimed at assisting users with disabilities, which doesn’t describe most apps currently using a11y.
Refactoring apps to no longer use an Accessibility Service is possible for some, but not all, of the apps we’ve mentioned. Password managers such as LastPass can migrate to the Autofill Framework, but only if the user is running Android 8.0 Oreo and above. If an app uses a11y to monitor when other apps are open, that app can instead be written with a polling service using the UsageStats API. Apps like Tasker can survive such a change. Others like Button Mapper and AutoInput are out of luck—without root, there’s no good way to intercept KeyEvents.
While we recognize the danger in allowing a malicious app access to the Accessibility APIs, it’s a shame to see some really useful apps be neutered by Google. We hope that the policy Google laid out is reversed, or they simply claim that it was misinterpreted. As it stands, the wording in the email is pretty clear—comply with our guidelines or get out of the Play Store. It’s a grim reminder that Google has all the power of what apps belong in the Play Store, and they can pull the rug out from under you at any time.
Update 1: Confusing Developer Documentation
Google’s developer documents for building an Accessibility Service appear to contradict this new focus by the Google Play Store team. The page has the following wording at the time of this writing:
An accessibility service is an application that provides user interface enhancements to assist users with disabilities, or who may temporarily be unable to fully interact with a device. For example, users who are driving, taking care of a young child or attending a very loud party might need additional or alternative interface feedback.
Only developers accepted in the Daydream Access Program will be able to publish Daydream apps this fall. Other non-members probably early next year.
Google Daydream will launch this coming Fall of 2016, but it will be only a select group of developers that will be able to publish Daydream apps to the Google Play Store until 2017. Exclusivity, it seems.
What is Daydream?
It is Google’s high-end virtual reality initiative for Android. Daydream will soon be released but Google have some restrictions with regards to VR app submissions. For now, anyone can submit a Google Cardboard app to the Google Play Store but they will be keeping an eye to Daydream apps submitted on the early days of the release.
They will be choosing who or which developers can submit apps for the new platform.
Who can submit Daydream apps?
Only developers who are accepted into the Daydream Access Program (DAP) will be allowed to publish apps at this Fall’s Daydream launch. Everyone else will be allowed to publish apps “early next year.”
Good news is developers who wants to be part of DAP can now join the program. This will include some verification of important but basic information. This may be some description of the VR app that will be developed and submitted and whether if it will be launched on other VR platforms other than Daydream.
Perks are awaiting those that will be included in the exclusive group. They will be able to “get a first look at updates to Daydream’s developer tools and are connected to our team and the DAP community throughout the development process.”
However, it may seem simple at this stage but some criteria are still not clear. Daydream Access Program appears to be restrictive in order for Google to ensure to get only quality VR content at the day of the platform’s launch. This is contrary to their previous rules of being just opening up the platform who would wish to be Android developers.
One point of why Google is doing this strict submission practices is also to ensure that the initial Daydream apps will follow the best VR practices. This will in turn reflect a good image on Google’s new VR platform. These quality VR apps can also be a template for new developers to follow in their own on going projects.
Google, which just last week launched the Daydream SDK out of beta, is hosting an October 4th press event which is widely expected to see the announcement of new Daydream-ready phones from the company, amidst other news. This aligns with Google’s promise earlier this year that we’d see the first Daydream phones launch in Fall.