Google Tests Blocking Side Loaded Android Apps With Risky Permissions
Google has launched a new pilot program to fight financial fraud by blocking the sideloading of Android APK files that request access to risky permissions.
An APK (Android Package) is a file format used to distribute Android apps for installation in the operating system. These files are commonly distributed through third-party sites, allowing you to install apps outside of Google Play.
However, as these external sites do not review the apps for malicious behavior, they can include malware, spyware, and other threats.
Due to the complexity and difficulty of uploading bad apps on Google Play, threat actors revert to social engineering, using various lures to convince targets to download malicious apps from external, unvetted sources.
These APKs can trick victims into disclosing sensitive personal and financial information, allowing threat actors to conduct financial fraud.
Google says that throughout 2023, scams on the Android platform cost users over $1 trillion in losses, with 78% of the surveyed users reporting experiencing at least one scam attempt.
Blocking risky apps
In October 2023, Google Play Protect received a new security feature that performs real-time scanning of APKs downloaded from third-party app stores and websites.
This feature has been rolled out to large markets, including India, Thailand, Brazil, and Singapore, and it is expected to reach more countries this year.
Google says this feature has identified 515,000 unwanted apps and warned about or blocked 3.1 million installations.
To strengthen protections against unwanted apps further, Google is now launching a pilot in Singapore where it will straight out block the installation of APKs that request access to the following risky permissions:
- RECEIVE_SMS – Attackers use this to intercept one-time passwords (OTPs) or authentication codes sent via SMS, enabling unauthorized access to victims’ accounts.
- READ_SMS – Abused by attackers to read sensitive information, such as OTPs, banking messages, or personal communications, without the user’s knowledge.
- BIND_Notifications – Attackers exploit this to read or dismiss notifications from legitimate apps, including security alerts or OTP notifications, potentially without the user noticing.
- Accessibility – This permission, meant to assist users with disabilities, provides the malicious APK app with broad access to control the device and its functions. Attackers abuse it to monitor the user’s actions, retrieve sensitive data, input keystrokes, and execute commands remotely, often leading to complete device compromise.
“Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 percent of installations came from Internet-sideloading sources,” reads Google’s report.
“During the upcoming pilot, when a user in Singapore attempts to install an application from an Internet-sideloading source and any of these four permissions are declared, Play Protect will automatically block the installation with an explanation to the user.”
BleepingComputer has asked Google about its plans to roll out this new protection feature to the rest of the world, and we will update this post as soon as we know more.
Meanwhile, Android users are advised to avoid APK downloads as much as possible, scrutinize permissions requested during app installation, and run Play Protect scans regularly.