Google has unveiled a new pilot program in Singapore that aims to stop users from sideloading certain apps that abuse Android app permissions to read one-time passwords and collect sensitive data.
“This advanced fraud protection will automatically scan and block the installation of apps that may be using sensitive runtime permissions often abused for financial fraud when the user attempts to install the app from a sideloading source on the Internet (web browsers, apps messaging or file manager),” the company explained.
The feature is designed to examine permissions declared by a third-party app in real time and look for those trying to gain access to sensitive permissions associated with reading SMS messages, deciphering or dismissing notifications from legitimate apps and accessibility services equipped with have been regularly abused by Android-based malware to extract valuable information.
As part of the test, Singapore users who attempt to transfer such apps (or APK files) will be blocked from doing so via Google Play Protect and will see a pop-up message saying: “This app may request access to sensitive data This may increase the risk of identity theft or financial fraud.”
“These permissions are often abused by scammers to intercept one-time passwords via SMS or notifications, as well as spy on screen content,” said Eugene Liderman, Google’s director of mobile security strategy.
The change is part of a collaborative effort to combat mobile fraud, the tech giant said, urging app developers to follow best practices and review their apps’ device permissions to ensure it does not violate mobile software principles unwanted.
Google, which launched Google Play Protect programmatic real-time scanning to detect new Android malware in select markets such as India, Thailand, Singapore and Brazil, said the effort detected 515,000 new malicious apps and having issued no less than over 3.1 million warnings or blocks of such apps.
The development also comes as Apple announced sweeping changes to the App Store in the European Union to comply with the Digital Markets Act (DMA) ahead of the March 6, 2024 deadline. The changes, including authentication for iOS apps, are expected to become active with iOS 17.4.
The iPhone maker, however, has repeatedly stressed that distributing iOS apps from alternative app markets exposes EU users to “increased privacy and security threats” and that it does not intend to bring them to other regions.
“This includes new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats,” Apple said. “These changes also impair Apple’s ability to detect, prevent, and take action against malicious apps on iOS and to support users affected by issues with apps downloaded outside of the App Store.”