Google added an accessibility API lockdown in Android 17 Beta 2. When Advanced Protection Mode (AAPM) is active, the system prevents any app not classified as an accessibility tool from receiving AccessibilityService access. The change targets the single most abused Android API by banking trojans.
Kaspersky detected 255,090 new malware packages exploiting it in 2025 alone.
Android Authority confirmed the restriction on a Pixel 9a running Beta 2. The team tested dynamicSpot, a popular app that emulates Apple's Dynamic Island. With AAPM enabled, the app could not obtain the required access. On Android 16 QPR3 (the current stable release), the same app works fine with AAPM active.
The enforcement mechanism is binary. Apps must declare isAccessibilityTool=true in their service metadata to pass the check. Screen readers, voice control systems, and switch-based input tools qualify. Automation apps, custom launchers, notification customizers, password managers, and antivirus software do not.
Apps that already had accessibility privileges before AAPM was enabled get their access automatically revoked. Users see "Restricted by Advanced Protection Program" and cannot override it. The only path to restoring those apps is disabling AAPM entirely.
Kaspersky's 2025 mobile threat report recorded 14 million attacks intercepted during the year. Trojan banker attacks on Android surged 56% over 2024. The number of new banking trojan installation packages reached 255,090, a 271% jump. Mamont (49.8% of detected banking trojans) and Creduz (22.5%) led the ranking.
Check the permissions of apps that you use and think carefully before permitting an app, especially when it comes to high-risk permissions such as Accessibility Services.
— Anton Kivva, malware analyst team lead, Kaspersky
Nearly every major Android banking trojan family depends on AccessibilityService. Anatsa, TrickMo, ToxicPanda, Cerberus (and its descendants Hook and Octo), Mamont, Creduz, Albiriox, PixRevolution, and TaxiSpy all use the API. They intercept one-time passwords, display fake login screens, perform on-device fraud inside banking sessions, and remotely control the handset.
On-device fraud (ODF) is the specific technique that makes AccessibilityService so valuable to attackers. The trojan executes transactions within the victim's own banking app, bypassing device fingerprinting and multi-factor authentication. Cleafy documented this approach in TrickMo and ToxicPanda. Malwarebytes described Albiriox as a MaaS (malware-as-a-service) offering that auto-grants permissions without human interaction.
Google first warned developers about AccessibilityService misuse in 2017. Nine years of incremental restrictions followed. Android 12 (2021) introduced a Permissions Declaration Form. Android 13 (2022) barred sideloaded apps from accessing the API by default. Android 15 (2024) expanded restricted settings.
Each restriction was bypassed. Anatsa circumvented Android 13's restricted settings. Malware operators shifted from Play Store distribution to social engineering via phone call scams. Google responded in Android 16 Beta 2 (February 2025) by denying accessibility grants during active calls.
Google never consistently enforced its 2017 threat, as Heise noted.
AAPM parallels Apple's Lockdown Mode, introduced in iOS 16 (September 2022). Both are opt-in features for high-risk users that trade functionality for security. Apple disables message link previews, most attachment types, and incoming FaceTime from unknown contacts. Google bars sideloading, limits USB data, mandates Play Protect scanning, and now denies accessibility API access to non-assistive apps. The approaches differ because the platforms differ. iOS has no equivalent to AccessibilityService's reach across the entire operating system.
The Android 17 lockdown is the first time Google has denied an entire API category to non-assistive apps under a system-enforced security mode. For security teams managing Android fleets, AAPM now removes the most common entry point for banking trojans and spyware without requiring per-app policy configuration.
— Artem Safonov, Threat Analyst at AnonHaven
Google offers developers the AdvancedProtectionManager API to detect AAPM status. Applications can use it to adopt a hardened posture or limit high-risk features when the mode is active. For apps that rely on AccessibilityService for non-disability features, migrating to scoped Android APIs is the recommended path forward.
The lockdown ships with Android 17 Beta 2 and will almost certainly reach the stable release. High-risk Android owners should plan to enable AAPM when Android 17 arrives on their phone. All Android users should audit current accessibility settings now. Navigate to Settings, then Accessibility, then Installed services. Any app with accessibility access that is not a screen reader or assistive input tool should have that privilege revoked.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
