Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse


Google has recently introduced a new security feature as part of Android Advanced Protection Mode (AAPM) that prevents certain kinds of apps from using the accessibility services API. This change aims to prevent malicious actors from exploiting the API to steal sensitive data from compromised Android devices.

  • Google has introduced a new security feature in Android 17 Beta 2 that prevents malicious apps from using the accessibility services API.
  • The new restriction aims to prevent non-verified apps from accessing sensitive data, such as phone numbers and location data.
  • Only verified accessibility tools with the `isAccessibilityTool="true"` flag are exempted from this rule.
  • The new restriction blocks non-verified apps that already have permission to use the accessibility services API when AAPM is active.
  • User consent is also required for granting permissions to non-verified apps.
  • A new contacts picker feature allows developers to specify only the fields they want to access from a user's contact list.



    • Google has recently introduced a new security feature as part of Android Advanced Protection Mode (AAPM) that prevents certain kinds of apps from using the accessibility services API. This change, incorporated in Android 17 Beta 2, was first reported by Android Authority last week. The introduction of this new restriction aims to prevent malicious actors from exploiting the accessibility services API to steal sensitive data from compromised Android devices.

    The accessibility services API has been widely used for its legitimate purposes, such as assisting users with disabilities in using Android devices and apps. However, it has also been extensively abused by bad actors in recent years to compromise the security of Android devices. The most common attack vector is through the use of non-verified apps that claim to be accessibility tools but actually provide no value or functionality.

    These malicious apps often claim to have access to certain features such as screen readers, switch-based input systems, voice-based input tools, and Braille-based access programs. In reality, these apps are designed to bypass security measures and gain unauthorized access to a device's sensitive data. This can include information such as phone numbers, email addresses, location data, and even personal identifiable information.

    The new restriction introduced by Android 17 Beta 2 aims to prevent non-verified accessibility apps from accessing the operating system's accessibility services API. According to Google, only verified accessibility tools, identified by the `isAccessibilityTool="true"` flag, are exempted from this rule. These verified tools include screen readers, switch-based input systems, voice-based input tools, and Braille-based access programs.

    The new restriction works in two ways. Firstly, it blocks non-verified apps that already have permission to use the accessibility services API when AAPM is active. This prevents malicious actors from gaining unauthorized access to sensitive data even if they have obtained valid permissions for their app. Secondly, users are not allowed to grant non-verified apps permissions to the API unless the setting is turned off.

    In addition to this new restriction, Android 17 Beta 2 also introduces a new contacts picker that allows app developers to specify only the fields they want to access from a user's contact list. This feature provides granular control over the data that can be accessed by apps, ensuring that users do not have to build or maintain their own UI to manage their contacts.

    The introduction of this new feature grants your app read access to only the selected data, allowing for a consistent user experience with built-in search, profile switching, and multi-selection capabilities without having to build or maintain the UI. This allows developers to create apps that respect users' privacy and security while still providing them with useful functionality.

    The new Android 17 Beta 2 release is part of Google's efforts to improve the security of its operating system. The company has been working hard to introduce various features that enhance the overall security posture of Android devices, including the Advanced Protection Mode, which was introduced in Android 16.

    The introduction of this new restriction and feature demonstrates Google's commitment to protecting users' sensitive data from malicious actors. By preventing non-verified apps from accessing the accessibility services API and providing granular control over the data that can be accessed by apps, Google is taking a significant step towards improving the security and privacy of Android devices.

    In conclusion, the new restriction introduced in Android 17 Beta 2 aims to prevent malware abuse of the accessibility services API. This change demonstrates Google's commitment to protecting users' sensitive data and provides developers with more granular control over their apps' access to user data.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Android-17-Blocks-Non-Accessibility-Apps-from-Accessibility-API-to-Prevent-Malware-Abuse-ehn.shtml

  • https://thehackernews.com/2026/03/android-17-blocks-non-accessibility.html

  • https://www.androidauthority.com/android-17-beta-2-advanced-protection-mode-accessibility-apps-3648860/


    • Published: Mon Mar 16 02:07:28 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us