The misuse of built-in operating system accessibility features to observe the screen, capture input, overlay content, or automate app interaction. The feature is legitimate, but when an attacker controls it, the result is covert session manipulation that is difficult to distinguish from normal device behaviour.
Expanded Definition
Accessibility abuse is a form of session manipulation that exploits legitimate operating system accessibility services, such as screen reading, input observation, content overlay, or automated interaction. In mobile and desktop environments, these features are designed to support users, but they can also grant high-fidelity visibility into app state and user actions when an attacker gains control. This makes accessibility abuse especially relevant in NHI and agentic AI settings where a device-bound workflow can be coerced into approving actions, exposing secrets, or completing transactions without obvious signs of compromise.
Definitions vary across vendors because some treat accessibility abuse as malware behavior, while others classify it as a post-compromise technique. The operational meaning is best understood through the lens of OWASP Non-Human Identity Top 10 and platform abuse patterns documented by NHI Management Group in the Ultimate Guide to NHIs. The concern is not the accessibility feature itself, but the privilege boundary it can collapse when used to impersonate a trusted operator or automate decisions on behalf of a user or agent.
The most common misapplication is assuming accessibility prompts are harmless because they originate from a legitimate OS feature, which occurs when security teams fail to verify who controls the service at runtime.
Examples and Use Cases
Implementing defensive controls rigorously often introduces friction for legitimate accessibility users, requiring organisations to weigh usability, inclusivity, and device hardening against the risk of covert control.
- A malicious app requests accessibility permissions and then reads screen content to capture MFA codes, approval dialogs, or embedded secrets shown during admin workflows.
- An attacker uses accessibility services to auto-click consent screens, transforming a user device into a proxy for authorizing access that should have been challenged elsewhere.
- In a mobile banking or support portal workflow, accessibility abuse overlays a fake prompt above the real one, redirecting a human or agent into revealing credentials or approving a risky action.
- Security teams reviewing the abuse chain map it against the OWASP Non-Human Identity Top 10 and NHI-focused attack paths because the manipulated session often ends with stolen tokens or over-privileged access.
- NHI Management Group’s 52 NHI Breaches Analysis is useful when assessing whether the final impact was credential theft, privilege escalation, or misuse of an automated approval path.
Accessibility abuse also appears in agentic environments when a desktop agent is allowed to interact with a browser or remote console and the attacker hijacks the input path to make the agent complete actions outside intended policy.
Why It Matters in NHI Security
Accessibility abuse matters because it bypasses many assumptions built into application-layer trust models. If the device or assistive process is compromised, the attacker can observe secrets, manipulate approvals, and simulate human intent without needing to break the underlying application outright. In NHI operations, that is especially dangerous when service credentials, delegated approvals, or recovery flows depend on a device session that is presumed trustworthy. The NHI Management Group notes that 79% of organisations have experienced secrets leaks, with 77% resulting in tangible damage, which shows how often weak control boundaries turn into real compromise.
Practitioners should treat this as a control-plane issue, not just a mobile malware issue. Defensive priorities include permission hardening, runtime attestation where available, step-up verification for sensitive actions, and reducing the exposure of secrets in on-screen workflows. The Ultimate Guide to NHIs — Key Challenges and Risks frames this well: broad visibility into service activity is still uncommon, so covert manipulation often persists until a post-incident review reveals it. Organisations typically encounter the operational cost only after a fraudulent approval, at which point accessibility abuse becomes unavoidable to investigate and contain.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-05 | Covers abuse paths where an attacker manipulates trust around non-human access flows. |
| NIST CSF 2.0 | PR.AA-01 | Access authentication and authorization controls must resist covert session manipulation. |
| NIST Zero Trust (SP 800-207) | SA-4 | Zero Trust assumes no implicit trust in the device or session controlling access. |
Restrict sensitive actions from device-driven trust and require stronger verification for approvals.
