New warning for millions of Play Store users.
Google is on a mission to improve the safety of Android and its billions of users, as the platform closes the gap to iPhone. The latest innovations include a cull of higher risk Play Store apps and AI-powered live threat detection to flag dangerous malware on phones as soon as it appears. Yes, Google is under fire for some of these changes—as is Samsung, which has gone even further; but despite Epic’s lawsuit and new DOJ threats to its business model, it’s clear that the Android app landscape has changed.
Since its earliest days, sideloading apps from outside Play Store has been one of the most fundamental differences to iPhone. Perhaps more than anything else, it’s this change of direction that irks Android’s diehard fanbase. This month, we have seen Google VP Dave Kleidermacher warn that “Google and the security community have warned users for years about the real risks associated with downloading apps directly from the web,” in response to Epic’s push to make such installs simpler.
And now Google has painted an even bleaker picture as to the scale of the threat. “Based on our analysis of major fraud malware families that exploit sensitive permissions,” it has just warned in a new blogpost, “we found that over 95 percent of installations came from internet-sideloading sources.”
The permissions it has called our relate to those “frequently abused for financial fraud,” by which it means those that enable malware to “intercept one-time passwords via SMS or notifications, as well as spy on screen content.” Those specific permissions are:
- RECEIVE_SMS
- READ_SMS
- BIND_Notifications
- Accessibility
Enhanced protection in action
Google has just expanded its enhanced fraud protection campaign to India, following a highly successful pilot in Singapore which “blocked nearly 900,000 high-risk installations.” These new pilots enhance Google Play Protect, a Play Store defense system that protects users from dangerous apps both from within Play Store and installed from elsewhere. “To better protect users in India against novel malicious internet-sideloaded apps,” it says, “we launched Google Play Protect real-time scanning. This has already identified over net-new 10 million malicious apps globally.”
While Play Protect is continually updated as new threats are flagged and confirmed, the enhanced offering seeks to root out such dangers at source before they are flagged. “This enhanced fraud protection will analyze and automatically block the installation of apps that may use sensitive permissions frequently abused for financial fraud… When a user in India attempts to install an application from an internet-sideloading source and any of these four permissions are declared, Play Protect will automatically block the installation with an explanation to the user.”
Make no mistake, these pilots should be a sign of things to come for everyone, everywhere. Permission abuse remains a nightmare for Android users. Just last month a new report warned that 50 of “the most popular apps on Google Play Store” seemingly “see no limits” when it comes to permissions. Google’s latest innovation is a crackdown on permission abuse above all, and is long overdue.
The “dangerous” permissions highlighted by that report include location tracking, access to cameras, contacts and the phone itself. Google’s enhanced protection doesn’t clamp down as widely as that, but focuses on financial exploits that require user credentials and one-time passcodes.
Google warns app developers that “now is a good time to review the permissions your app is requesting and ensure you’re following developer best practices. This latest pilot begins next month and “will gradually roll out to all Android devices with Google Play services in India. “Building a truly secure mobile experience is a collaborative effort,” Google says “and we’re committed to working with governments, industry partners and other stakeholders to help you to be safer.”