Why Google Is Suddenly Blocking Some Android Users From Sideloading Apps
Right from the start, Android has allowed you to install any software you come across on the internet, provided you aren't deterred by the prominent and increasingly scary warnings. Google is testing a new tactic to prevent the spread of mobile malware, but it's somewhat more draconian than its past efforts. The new pilot program in Singapore will completely block the installation of some sideloaded apps in the name of security.
Google says it's working with the Cyber Security Agency of Singapore (CSA) to roll the new security feature out in the coming weeks. When it's live, users downloading APK files from third-party sources may find some of them won't work. Google is targeting a collection of permissions that are commonly used in malware, particularly financial fraud. Here are the risky permissions.
According to Google, a downloaded APK file that declares any of those dangerous permissions won't be installed. Users will get an explanation of the block, but there won't be an option to bypass, which might annoy people who've gotten used to installing any ill-advised app they might come across. There will be no change for apps installed from the Google Play Store, and the installation blocks will only be deployed on Google-certified Android devices with Play Services.
Google says it will work with the CSA to monitor the results of the pilot program. Google didn't mention any plans to expand the test, but that could come after the Android maker better understands the impact of blocking these sideloaded apps. In the meantime, it advises developers to make sure their apps only declare the permissions they absolutely need.
Google says it's working with the Cyber Security Agency of Singapore (CSA) to roll the new security feature out in the coming weeks. When it's live, users downloading APK files from third-party sources may find some of them won't work. Google is targeting a collection of permissions that are commonly used in malware, particularly financial fraud. Here are the risky permissions.
- RECEIVE_SMS: Malware uses this permission to intercept two-factor codes to access the victim's accounts.
- READ_SMS: Used to read the two-factor codes in received SMS messages.
- BIND_Notifications: Can read or dismiss notifications, potentially hiding the malware's activity from the user.
- Accessibility: A service usually aimed at helping people with disabilities use their devices, Accessibility can also allow malware to emulate taps and monitor user activities.
According to Google, a downloaded APK file that declares any of those dangerous permissions won't be installed. Users will get an explanation of the block, but there won't be an option to bypass, which might annoy people who've gotten used to installing any ill-advised app they might come across. There will be no change for apps installed from the Google Play Store, and the installation blocks will only be deployed on Google-certified Android devices with Play Services.
Google says it will work with the CSA to monitor the results of the pilot program. Google didn't mention any plans to expand the test, but that could come after the Android maker better understands the impact of blocking these sideloaded apps. In the meantime, it advises developers to make sure their apps only declare the permissions they absolutely need.