Abusing Accessibility Services is a prevalent technique, notably use by various Android botnets such as BianLian, Cerberus, Chameleon, GodFather, Hook and Xenomorph.
Despite its prevalence, the technique remains relatively unfamiliar to the general audience. This leads to failing to recognize the specific permission dialog, which would save from infection.
At best, security-conscious individuals are acquainted with the concept of malicious overlays. But overlays are merely one facet of the malicious tasks malware can implement with a custom Accessibility Service. Malware can use the API to create a keylogger, turn off Play Protect, prevent application uninstall, clipboard manipulation, gesture and click emulation, stealing credentials or sensitive information of other applications etc.
Confronted to massive abuse, Google faced a dilemma: either permit the continued onslaught of attacks, or curtail the functionality of Accessibility Services, potentially limiting individuals with disabilities. In Android 13, Google introduced “Restricted Settings”, which prevent side-loaded applications from getting the necessary Accessibility permissions. Regrettably, this security measure proved insufficient and was bypassed by recent Android malware.