Android 14 should block malware that wants to steal 2FA codes

The Accessibility API in Android provides builders the required instruments to develop purposes for customers with disabilities. For instance, the API permits the content material of a display to be learn aloud and a smartphone to be operated by voice.

Sadly, these accessibility options additionally include a danger. They can be utilized as a loophole by hackers to, for instance, learn a code for two-step verification (2FA) or press sure buttons in an web banking app. To eliminate these safety dangers, Android 14 will introduce a brand new API. It would then restrict which accessibility companies can entry their apps. That stories Android specialist Esper on his weblog.

2FA codes stolen

In early 2020, Dutch safety agency ThreatFabric found a model of the Cerberus malware that would steal 2FA codes from Google Authenticator. Final month it found Italian Cleafy Nexus, a brand new kind of malware that additionally gained entry to two-factor authentication codes. These are just some examples of a slew of malware purposes which have focused Android’s Accessibility API in recent times.

Google has already taken numerous steps in earlier Android variations to maintain unhealthy guys away from options that ought to assist folks with disabilities. For instance, the search big tightened its coverage for the App Retailer, and these days not all apps are allowed to declare that they’re an accessibility instrument.

For Android 14, Google goes one step additional. Builders themselves can forestall apps that aren’t really accessibility instruments from having access to apps. Particularly, we might add the brand new attribute ACCESSIBILITY_DATA_PRIVATE_YES in order that solely the suitable apps can entry that particular view. Apps like Google Authenticator can combine that code into their app in order that solely actual accessibility instruments can learn 2FA codes.

Featured article

Android 14 Developer Preview 2 official: This is what’s new