To reduce financial scams, Google has launched a new program to prevent users from downloading certain apps in Singapore. The company is looking to block secondary apps that abuse Android permissions to read one-time passwords received via SMS and notifications.
Google said there are four sets of permissions that bad actors exploit to commit financial fraud. According to the company’s research, most of these apps are side-by-side, which are installed on the device manually — not through the Play Store.
“These permissions are often used by fraudsters to intercept one-time passwords via SMS or notifications, as well as to spy on screen content. Based on our analysis of the large fraud malware families that exploit these sensitive runtime permissions, we found that over 95 percent of the installations came from download sources from the Internet,” the company said in a blog post.
The search giant said that when a user in Singapore tries to install any such app, Google will automatically block the attempt with a pop-up message that says: “This app may request access to sensitive data. This can increase the risk of identity theft or financial fraud.”
Image Credits: Google
Google has developed this pilot program in collaboration with the Cyber Security Agency of Singapore (CSA) as part of the Play Protect program.
Last October, the company announced a real-time scanning protection feature — launching first in India — to stop users from sideloading malicious apps. In November, TechCrunch ran a test with more than 30 different malicious apps. And while Google’s protection feature blocked most of them, some predatory loan apps were successfully installed.
“With this recent enhancement, we’re adding real-time code-level scanning to Google Play Protect to combat new malicious apps, regardless of whether the app was downloaded from Google Play or elsewhere,” said Google spokesman Scott Westover . email to TechCrunch at the time. “These capabilities will continue to evolve and improve over time as Google Play Protect collects and analyzes new types of threats facing the Android ecosystem.”
Since then, Google has expanded the real-time scanning feature to new regions including Thailand, Singapore and Brazil.
With the latest announcement, Google notified developers that Apps must not violate mobile spam principles and should follow the instructions. The company said it is open to expanding the pilot program to other countries.
“We’re constantly improving our protections to keep Android users around the world safe. Together with CSA, we will closely monitor the results of the pilot program to assess its impact and make adjustments as needed. We are open to expanding the pilot to other countries in the future if we see similar user interest and protection needs,” Eugene Liderman, Director of Android Security Strategy at Google, told TechCrunch.
Fraudulent loan applications have been a pain point for Google in geographies such as India and Africa. In India, Google faces scrutiny as predatory loan apps and their proxies harass people for repayment, leading some to commit suicide.
Last year, Google introduced a new policy to ban lending apps from accessing users’ photos and contact information.
