With the widespread use of mobile computing devices such as smartphones, tablets and smart watches, users of these devices are exposed to malware and malicious activity that attempts to capture their personal, financial and other sensitive information. Accessibility services can be (mis)used to maliciously capture such information. An application may configure and register an accessibility service with a mobile operating system platform. Typically, such an accessibility service is to help users with physical, visual, or age-related limitations to use the application on their mobile computing devices. However, there can also be a vulnerability to having an accessibility service enabled for an application, especially a malware application on the mobile computing device. Under some mobile operating systems such as Android, an application with its accessibility service turned on is not limited to only monitoring a usage or content of that application on the mobile computing device. For example, if the accessibility service of a malware application is configured to handle certain types of accessibility events, then the malware application can interpret accessibility events of those types meant for other applications, monitor what the user is typing, and hijack user interactions for malicious purposes.
Accessibility services are a potential vector for leakage of sensitive user information on the mobile computing device. However, disabling accessibility services outright is problematic because, as noted above, accessibility services enhance the interaction of users with their mobile computing devices.
It would be desirable to address these issues.