Google is testing blocking sideloaded Android apps with risky permissions
Google has launched a new pilot program to combat financial fraud by blocking side-loading of Android APK files that request access to risky permissions.
APK (Android Package) is a file format used to distribute Android applications for installation in the operating system. These files are usually distributed through third-party sites, allowing you to install apps outside of Google Play.
However, because these third-party sites do not review apps for malicious behavior, they may include malware, spyware, and other threats.
Given the complexity and difficulty of uploading bad apps to Google Play, threat actors are reverting to social engineering, using various lures to convince targets to download malicious apps from unvetted third-party sources.
These APK files can trick victims into revealing sensitive personal and financial information, allowing threat actors to conduct financial fraud.
Google says that throughout 2023, fraud cost users more than $1 trillion in losses, with 78% of users surveyed (by the Global Anti-Fraud Alliance) reporting having experienced at least one fraud attempt.
Block dangerous applications
In October 2023, Google Play Protect received a new security feature that performs a real-time scan of APK files downloaded from third-party app stores and websites.
This feature has been rolled out in large markets, including India, Thailand, Brazil, and Singapore, and is expected to reach more countries this year.
Google says this feature identified 515,000 unwanted apps and warned or blocked 3.1 million installations.
To further enhance protection against unwanted apps, Google is now launching a beta in Singapore where it will directly block the installation of APKs that request access to the following risky permissions:
- RECEIVE_SMS Attackers use this to intercept one-time passwords (OTPs) or authentication codes sent via SMS, allowing unauthorized access to victims’ accounts.
- READ_SMS – Attackers misuse to read sensitive information, such as one-time passwords, banking messages or personal communications, without the user’s knowledge.
- BIND_Notifications – Attackers exploit this to read or dismiss notifications from legitimate apps, including security alerts or OTP notifications, possibly without the user noticing.
- Accessibility This permission, intended to help users with disabilities, provides the malicious APK with broad access to control the device and its functions. Attackers misuse them to monitor user actions, retrieve sensitive data, inject keystrokes, and execute commands remotely, often leading to the entire device being compromised.
“Based on our analysis of the major phishing software families exploiting these sensitive runtime permissions, we found that more than 95 percent of installations came from online sideloading sources,” Google’s report said.
“During the upcoming beta, when a user in Singapore tries to install an app from an online sideload source and any of these four permissions are declared, Play Protect will automatically block the installation with an explanation to the user.”
BleepingComputer asked Google about its plans to roll out this new security feature to the rest of the world, and a spokesperson sent the following statement:
We’re constantly improving our protections to keep Android users around the world safe. In collaboration with the Cyber Security Agency of Singapore (CSA), we will closely monitor the results of the pilot to assess its impact and make adjustments as needed.
We are open to expanding the pilot program to other countries in the future if we see similar interest and user protection needs. – Google spokesperson
Meanwhile, Android users are advised to avoid APK downloads as much as possible, check required permissions during app installation, and perform Play Protect scans regularly.
Update 2/8 – Added Google statement