Scam and phishing attempts, particularly the financial ones, are becoming a persistent headache. The numbers give us a better illustration of the problem. In just the first six months of 2024, Indians lost more than ₹1,750 crore to cyber criminals, according to the government’s National Cybercrime Reporting Portal. A variety of elements at play, including OTP (or one time password) sharing and malware in phones. Google wants smartphones that run its Android operating system, to be better layered.
This would include securing users from scam methods that include screen sharing to access OTPs and passwords, as well as flagging and preventing dodgy app installations that can often be laden with malware, which will later run unnoticed in the background.
Eugene Liderman, who is Director of Mobile Security Strategy at Google, talks about a surgical approach the company’s taking with layering Android’s security mechanisms. “In this day, it is much easier for threat actors to create malware, and also quickly modify malware”, he says, in a conversation with HT. He’s describing polymorphic malware, that can bypass traditional antivirus and anti-malware protection engines.
It is a multi-pronged approach detailed at the tech giant’s annual Google for India summit, now in its tenth year. This includes a pilot project new enhanced fraud protection feature as part of the Google Play Protect suite, which will provide real-time scanning of apps on a phone, as well as block permissions for accessing messages or notifications from apps installed on an Android phone—and this is particularly true for side-loaded apps.
These measures build on enhancements to Google Messages, which can hide OTPs in notifications if a user’s phone is in screen sharing mode, a non-contact warning if a user clicks on a web link sent in a message and the spam block option. “Unfortunately, scammers are really good at building trust. We added this additional pop up for unknown contacts, with the ultimate goal to get the user to pause and think,” he says.
“Google Play Protect has always done some on-device assessing, what we have done now is really bolster that protection. When a new app is being downloaded that we’ve never seen before and we have no knowledge of, the install will be paused and there will be a prompt for the user to allow a scan,” explains Liderman.
The scan itself takes up to 10 seconds, during which time Play Protect’s mechanisms will assess whether this app install has any malicious layer, and a subsequent warning depending on severity.
HT can confirm that a user does not have to enable enhanced fraud protection feature as part of the Google Play Protect. And neither do the developers. It’ll be enabled by default once the Play Services update is installed automatically on your Android device.
“This is a system feature through Google Play Protect, and it goes all the way back to Android 6,” confirms Liderman. At this time, the latest flagships run Android 14, with an Android 15 update looming over the horizon (that’s expected in the next few weeks). For mid-range and affordable Android phones that often tend to run slightly older Android versions, the enhanced fraud protection feature will be compatible.
These measures build on Google Play Protect real-time scanning of apps already installed on an Android phone, announced at Google for India, last year.
Google realises it plays an important role in placing a firewall to protect unsuspecting, and often not alert smartphone users. Android, globally, has 71.65% market share, according to the latest numbers by research firm Statista. In India, that share is even higher, with StatCounter Global pegging this at 95.73% of the country’s overall smartphone OS skew.
Before changing certain app behaviour of Android, there have been investments in a modern systems-programming language called Rust. Native OS components are developed using this.
“Android devices start with hardware based security, encryption and integrity of the device. Android is a modern operating system, which has sandboxing, and therefore everything is isolated. Every process has access to its own storage, memory and CPU cycles. In fact, a lot of zero days in operating systems in general are memory related,” explains Liderman.
Android therefore becomes the first major modern operating system to use Rust, which is a memory safe language, instead of C/C++, which has helped reduce memory related exploits.
Now, all app permissions, particularly those that demand viewing access to incoming message notifications or to read messages, will be scanned and blocked proactively. Android reads these as ‘RECEIVE_SMS, READ_SMS, BIND_Notifications, and Accessibility’.
“When a user in India attempts to install an application from an Internet-sideloading source and any of these four permissions are declared, Play Protect will automatically block the installation with an explanation to the user,” confirms Google.
Side-loading refers to any other source other than the Google Play Store, Samsung’s Galaxy Store, Xiaomi’s GetApps store. Particularly dangerous are .apk files (these are Android app installation files) shared on WhatsApp or Messages, as well as via file manager apps.
“Those are the ones that are highly abusive because that’s where you will receive a link and you click it to download a .apk. Or someone send its on WhatsApp and says, its your bank, you to install this support app so we can fix your problem right away,” illustrates Liderman.
We asked Liderman about how Google sees the Android security layers evolving, considering its own Android’s Play Protect updates along with Truecaller’s powerful Caller ID and message sender detection, as well as the recently announced network-level ’suspected scam’ labelling by Airtel.
Also Read: Google for India: Android battles scammers, Gemini languages and loans on Pay
Google is only too happy to have solutions available for users. “That’s the nice thing about the Android model, that a lot of apps can play a role today. They can get access to the permissions to be able to detect when there’s a call coming in and notify the user.
From our perspective, we want to provide the best builtin out of the box security possible, but if a user wants a layer on more security, that’s great,” says Liderman.
“It’s great that there’s a vibrant ecosystem. If a user wants to layer on their own protections, I think that’s a great thing. From our perspective, we want to provide as much as possible because at the end of the day, not everybody can afford a premium and security is not something that should be considered a premium offering,” Liderman adds Google’s perspective of integrating solutions within Android.
A lot of phone makers still insist on installing the own apps on the Android phones they sell. Some examples include messaging apps, dialler apps, their own web browser, perhaps even a file manager. Samsung, Xiaomi, OnePlus, Vivo, most Android OEMs, or original equipment manufacturers, do this. We asked Liderman how Android’s new security measures such as enhanced fraud protection feature as part of the Google Play Protect and permission limits, work with those apps?
“The goal is to provide as many signals to other apps and make apps resilient. Any intelligence we can provide, is important. It is not competitive for us in that sense. As part of the Android team, our goal is to our app developers and then in return that helps keep users further safe. I mean, definitely a lot of the functionality we talk about here could be a good example—Chrome uses safe browsing, Samsung’s browser uses safe browsing, Safari uses safe browsing. That’s how it is, anything that’s a Google service, others can use to recapture,” says Liderman.