SINGAPORE – Android users here will be blocked from installing apps from unverified sources, a process called sideloading, as part of a new trial by Google to crackdown on malware scams.
The security tool will work in the background to detect apps that demand suspicious permissions, like the ability to spy on screen content or read SMS messages, which scammers have been known to abuse to intercept one-time passwords.
Singapore is the first country to begin the gradual roll-out of the security feature over the next few weeks, done in collaboration with the Cyber Security Agency of Singapore, according to a statement on Feb 7 by Google, which develops the Android software.
The update will progressively arrive on all Android users’ devices and will be enabled by default through Google Play Protect, said Google’s director of android security strategy Eugene Liderman, in reply to questions by The Straits Times.
Users who are blocked from downloading a suspicious app will be notified with an explanation.
Users cannot deactivate the pilot feature without disabling all of Google Play Protect, said Mr Liderman, adding that deactivation of the program, which scans Android devices for harmful behaviour like suspicious apps, is not recommended for user safety.
“We’ve designed the pilot this way, as fraudsters frequently use social engineering to convince users to deactivate mobile app protection warnings when scamming or stealing data from a victim.”
Mr Liderman added: “Given the rise in financial fraud cases within the past year and the widespread use of Android phones in Singapore, this enhanced security feature will offer vital protection to many mobile users.”
The update, which will be automatically activated, will roll out to all Android devices with Google Play services – a security program built into Android devices that scans for potentially harmful apps – here, starting with a small number of users to assess the effectiveness of the tool, he said.
Sideloaded apps can come in the form of apps used by overseas businesses that do not use the Google ecosystem, to device customisation tools and free versions of paid apps. But users have also been tricked into installing apps that allow fraudsters to spy on their devices and enter their bank accounts.
In a malware scam, victims are typically directed to download an Android package kit file through sources such websites or messaging apps to receive gifts or deals. This was the mode of operations employed in major malware scam campaigns to hijack victims’ devices and steal their money.
More than 1,400 victims fell prey to malware scams between January and August, with total losses amounting to at least $20.6 million, the police said.
The feature marks Google’s most heavy-handed feature to stamp out malicious sideloaded apps.