Google has launched a new pilot program to fight financial fraud by blocking the sideloading of Android APK files that request access to risky permissions.

An APK (Android Package) is a file format used to distribute Android apps for installation in the operating system. These files are commonly distributed through third-party sites, allowing you to install apps outside of Google Play.

However, as these external sites do not review the apps for malicious behavior, they can include malware, spyware, and other threats.

Due to the complexity and difficulty of uploading bad apps on Google Play, threat actors revert to social engineering, using various lures to convince targets to download malicious apps from external, unvetted sources.

These APKs can trick victims into disclosing sensitive personal and financial information, allowing threat actors to conduct financial fraud.

Google says that throughout 2023, scams cost users over $1 trillion in losses, with 78% of the surveyed (by the Global Anti-Scam Alliance) users reporting experiencing at least one scam attempt.

Blocking risky apps

In October 2023, Google Play Protect received a new security feature that performs real-time scanning of APKs downloaded from third-party app stores and websites.

This feature has been rolled out to large markets, including India, Thailand, Brazil, and Singapore, and it is expected to reach more countries this year. 

Google says this feature has identified 515,000 unwanted apps and warned about or blocked 3.1 million installations.

To strengthen protections against unwanted apps further, Google is now launching a pilot in Singapore where it will straight out block the installation of APKs that request access to the following risky permissions:

• RECEIVE_SMS – Attackers use this to intercept one-time passwords (OTPs) or authentication codes sent via SMS, enabling unauthorized access to victims' accounts.
• READ_SMS – Abused by attackers to read sensitive information, such as OTPs, banking messages, or personal communications, without the user's knowledge.
• BIND_Notifications – Attackers exploit this to read or dismiss notifications from legitimate apps, including security alerts or OTP notifications, potentially without the user noticing.
• Accessibility – This permission, meant to assist users with disabilities, provides the malicious APK app with broad access to control the device and its functions. Attackers abuse it to monitor the user's actions, retrieve sensitive data, input keystrokes, and execute commands remotely, often leading to complete device compromise.

"Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 percent of installations came from Internet-sideloading sources," reads Google's report.

"During the upcoming pilot, when a user in Singapore attempts to install an application from an Internet-sideloading source and any of these four permissions are declared, Play Protect will automatically block the installation with an explanation to the user."

BleepingComputer asked Google about its plans to roll out this new protection feature to the rest of the world, and a spokesperson has sent the following statement:

We are constantly improving our protections to keep Android users around the world safe. Together with the Cyber Security Agency of Singapore (CSA), we will be closely monitoring the results of the pilot program to assess its impact and make adjustments as needed.

We are open to expanding the pilot to other countries in the future if we see similar interest and user protection needs. - Google spokesperson

Meanwhile, Android users are advised to avoid APK downloads as much as possible, scrutinize permissions requested during app installation, and run Play Protect scans regularly

Update 2/8 - Added Google statement