Google has unveiled a new pilot program in Singapore that aims to prevent users from loading certain apps that abuse Android app permissions to read one-time passwords and collect sensitive data.
“This enhanced fraud protection will analyze and automatically block the installation of applications that may use sensitive runtime permissions that are often abused for financial fraud when a user tries to install an application from an Internet sideloading source (web browsers, messaging applications, or managers file), the company said.
The feature is designed to examine permissions declared by a third-party app in real-time and look for permissions that request access to sensitive permissions related to reading SMS messages, decrypting or dismissing notifications from legitimate apps, and accessibility services that Android-based malware regularly abuses to extract valuable information.
As part of the test, users in Singapore who try to sideload such apps (or APK files) will be blocked from doing so by Google Play Protect and will see a pop-up message that reads: “This app may request access to sensitive data. This may increase risk of identity theft or financial fraud.”
“These permissions are often abused by fraudsters to intercept OTPs via SMS or notifications, as well as to spy on screen content,” said Eugene Liderman, director of mobile security strategy at Google.
The change is part of a concerted effort to combat mobile fraud, the tech giant said, urging app developers to follow best practices and review their apps’ device permissions to ensure they don’t violate mobile spam principles.
Google, which launched Google Play Protect real-time code-level scanning to detect new Android malware in select markets such as India, Thailand, Singapore and Brazil, said the effort enabled it to detect 515,000 new malicious apps and that it was not issued no less than 3.1 million warnings or blocks of these applications.
The development also comes as Apple announced sweeping changes to the European Union’s App Store to comply with the Digital Markets Act (DMA) ahead of the March 6, 2024 deadline. The changes, including sideloading and authentication for iOS apps, are expected to be released with iOS 17.4.
The iPhone maker, however, has repeatedly stressed that distributing iOS apps from alternative app markets exposes users in the EU to “increased privacy and security threats,” and that it has no plans to bring them to other regions.
“This includes new avenues for malware, scams and fraud, illegal and harmful content, and other threats to privacy and security,” Apple said. “These changes also threaten Apple’s ability to detect, prevent, and take action against malicious apps on iOS, and to support users affected by issues with apps downloaded outside the App Store.”