To reduce financial scams, Google has started a new program to prevent users from sideloading certain apps in Singapore. The company is looking to block sideloaded apps that abuse Android permissions to read one-time passwords received through SMS and notifications.
Google said there are four sets of permissions that bad actors exploit to commit financial fraud. According to the company’s survey, most of these apps are sideloaded, which are installed onto the device manually — not through the Play Store.
“These permissions are frequently abused by fraudsters to intercept one-time passwords via SMS or notifications, as well as spy on-screen content. Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 percent of installations came from Internet-sideloading sources,” the company said in a blog.
The search giant said when a user in Singapore tries to install any such app, Google will automatically block the attempt with a message pop-up that reads: “This app can request access to sensitive data. This can increase the risk of identity theft or financial fraud.”
Google has developed this pilot in collaboration with the Cyber Security Agency of Singapore (CSA) as part of its Play Protect program.
Last October, the company announced a real-time scanning protection feature — with the first rollout in India — to stop users from sideloading malicious apps. In November, TechCrunch performed a test with over 30 different malicious apps. And while Google’s protection feature blocked most of them, some predatory loan apps were successfully installed.
“With this recent enhancement, we’re adding real-time scanning at the code-level to Google Play Protect to combat novel malicious apps, regardless of if the app was downloaded from Google Play or elsewhere,” said Google spokesperson Scott Westover in an email to TechCrunch at that time. “These capabilities will continue to evolve and improve over time, as Google Play Protect collects and analyzes new types of threats facing the Android ecosystem.”
Since then, Google has expanded the real-time scanning feature to new regions, including Thailand, Singapore, and Brazil.
With the latest announcement, Google alerted developers that their apps should not violate Mobile Unwanted Software principles and should follow guidelines. The company said it is open to expanding the pilot program to other countries.
“We are constantly improving our protections to keep Android users around the world safe. Together with CSA, we will be closely monitoring the results of the pilot program to assess its impact and make adjustments as needed. We are open to expanding the pilot to other countries in the future if we see similar interest and user protection needs,” Eugene Liderman, director of Android Security Strategy at Google, told TechCrunch in a statement.
Fraudulent loan apps have been a pain point for Google in geographies like India and Africa. In India, Google has to face scrutiny as predatory loan apps and their representatives have harassed people for repayment, driving some to suicide.
Last year, Google introduced a new policy to bar loan apps from accessing users’ photos and contact details.