To reduce financial fraud, Google has launched a new program in Singapore to prevent users from sideloading certain apps. The company is looking to block sideloaded apps that abuse Android's permissions to read one-time passwords received via SMS and notifications.
Google says there are four sets of permissions that allow bad actors to commit financial fraud. According to the company's survey, most of these apps are sideloaded, which are manually installed on the device — not through the Play Store.
“These permissions are often abused by fraudsters to intercept one-time passwords via SMS or notifications, as well as to spy on screen content. Based on our analysis of the major rogue malware families that exploit these sensitive runtime permissions, we found that more than 95 percent of installations come from Internet-sideloading sources,” the company said in a blog.
When a user in Singapore tries to install such an app, Google automatically blocks the attempt with a pop-up, the search giant said: “This app may request access to sensitive data. This increases the risk of identity theft or financial fraud.
Google developed this pilot in collaboration with Singapore's Cyber Security Agency (CSA) as part of its Play Protect program.
Last October, the company announced a real-time scanning protection feature to stop users from sideloading malicious apps – with the first rollout in India. In November, TechCrunch conducted a test with over 30 different malicious apps. And although Google's protection feature blocks most of them, some predatory loan apps are successfully installed.
“With this recent enhancement, we're adding real-time scanning at the code level to Google Play Protect to combat novel malicious apps, regardless of whether the app is downloaded from Google Play or elsewhere,” said Google spokesperson Scott Westover. Email TechCrunch at that time. “These capabilities will continue to evolve and improve over time, as Google Play Protect collects and analyzes new types of threats facing the Android ecosystem.”
Since then, Google has expanded the real-time scanning feature to new regions including Thailand, Singapore and Brazil.
With the latest announcement, Google warned developers that their apps should not violate mobile unwanted software principles and follow guidelines.
Fraudulent loan apps are a pain for Google in geographies like India and Africa. In India, Google faces scrutiny as predatory lending apps and their representatives harass people for repayment, leading some to commit suicide.
Google introduced a new policy last year to prevent loan apps from accessing users' photos and contact details.