When you install a new app, more often than not, you’re met with a series of prompts asking for permission to access certain features or hardware on your phone. Most permissions are harmless, and you can always roll them back in your phone’s settings. However, there’s one particularly dangerous permission that can cause a lot of trouble if left unchecked, which is why you should always check app permissions before hitting install.
I’m talking about Accessibility Services on your Android. This isn’t like letting an app check your location or use your camera. If you’ve allowed an app to use this and forgotten about it, anything from your banking credentials, passwords, personal data, and even what’s on your screen could be at risk.
Change These Settings to Stop New Android Apps From Spying on You
Freshly-installed apps can do a lot more than you’d like, until you rein them in.
This permission can control your entire phone
What Accessibility Services really allow apps to do
Android’s Accessibility Services were originally designed to help users with disabilities interact with their phones without compromising on the user experience. Screen readers, switch controls, voice navigation tools, and more all rely on this API to function properly. The problem, however, is that any app with accessibility permissions can read everything on your screen, simulate taps and swipes, intercept text as you type, and even approve its own permission requests—all without you knowing.
Android apps are supposed to be sandboxed so they don’t spy on each other, but the accessibility API breaks that rule. If a malicious app gets hold of it, the results can be devastating. Apps can steal credentials by overlaying fake interfaces over legitimate apps, lock your device, monitor activity, and do much, much more.
This isn’t a theoretical threat either. Banking trojans that abuse Accessibility Services have been a growing problem for years. According to Kaspersky, Trojans accounted for 40% of total Android malware infections in the first quarter of 2025. Another 2023 report from Kaspersky found that almost 12% of all detected malicious Android apps are categorized as banking Trojans that abuse the Accessibility API. That’s roughly 154,000 malicious apps spread across the internet.
And these malicious apps aren’t coming from external sources alone either. Trojans like the Anatsa banking Trojan (also known as TeaBot) were caught on the official Google Play Store in July 2025 and disguised as a PDF update for a document viewer app. It ended up being downloaded 90,000 times before Google took it down.
Check this setting right now
Where to look and what to turn off immediately
The good news is that checking this permission barely takes a minute. All you need to do is head over to your Android’s settings menu, find Accessibility, and you’ll find a list of downloaded apps along with their access status to your phone’s accessibility services.
If you see any apps that you did not specifically enable, or an app that doesn’t need to read and control everything on your screen, disable access or delete the app entirely. Legitimate use cases for accessibility services are quite narrow, which makes it easier to spot apps that don’t need to be on this list.
Legitimate tools like screen readers, magnification tools, some password managers, and automation apps like Tasker are fine. However, if you see a random game, a utility app you barely use, or anything you don’t immediately recognize, get it off the list.
It’s also worth checking Special app access for each app on your phone. This permission controls whether an app can install software from outside the Play Store, and it should not be allowed for any app unless you specifically need it. It makes for an easy entry point for malware apps to download additional payloads once the clean version sneaks onto your phone via the Google Play Store.
Google is starting to crack down
New restrictions—but they don’t fix everything
The scale of banking Trojans and accessibility API abuse has gotten bad enough for Google to finally take notice. While the Android-maker has been making small but consistent improvements to the accessibility service and how easy it is to access them, Android 17 is taking it a step forward.
The latest Android version, currently in testing, introduces a feature under Advanced Protection Mode that blocks non-accessibility apps from using the Accessibility API entirely. Only verified tools like screen readers, voice input apps, Braille interfaces, and so on will be allowed to access it.
Regardless, Android 17 won’t arrive on most phones for months, and that is, if it arrives in the first place. Until then, billions of Android devices running older versions are exposed to such apps, and the only way to ensure protection is to make sure this permission is disabled.
Don’t rely on Google to protect you
Why you need to take control yourself
Google might have a fix planned in the future, but the unfortunate reality is that no operating system update will protect you from a permission you’ve already granted. In a lot of cases, malicious apps only need you to grant the permission once so they can access whatever resource they need on your phone. Hidden Android permissions destroying your battery life is one thing, but these are much more severe.
Malware doesn’t need to break in through a vulnerability if you leave the front door wide open. So take a couple of minutes today, open your accessibility settings, and remove anything that doesn’t belong there. If you find nothing, make sure you keep it that way.