Google pilots blocking some sideloaded apps in India
As online frauds and scams continue to proliferate across India, Google has announced plans for a big change in the country as it tries to mitigate the issue: it plans to block the sideloading of certain apps, specifically those users try to download straight from the internet. The pilot — announced at the annual Google for India event on Thursday — is part of what it described as “enhanced fraud protection” within Google Play Protect.
Sideloading, in which users load apps on their Android phones bypassing the official Google Play app store, has been a thorny issue for Google in the country before now, and this move signals that Google is slowly tightening up its policies around the practice, not just in India but other regions.
Last October, Google also introduced a real-time scanning protection feature in India, aimed at curbing sideloading of malicious apps. But when TechCrunch tested the feature with over 30 malicious apps, we found that while it blocked most of them, some predatory loan apps bypassed the protection.
Meanwhile, in February, Google released the enhanced fraud protection in Singapore. The company said the move helped prevent 900,000 high-risk installations in the Southeast Asian country in six months.
To be clear, the pilot announced today during the India event will not sound the death knell for all sideloading in the country. Users will still be able to sideload offline apps, as well as use third-party app stores, from what we understand.
What Google will do is analyze and automatically block sideloading through the phone’s web browser, any messaging app (Android or otherwise), and any file manager, if the particular app install requests sensitive permissions, such as access to SMS, notifications, and accessibility features. That is because these permissions often allow fraudsters to steal one-time passwords, financial credentials, and other sensitive data.
The enhanced protection will “inspect the permissions the app declared in real-time and specifically look for permission requests that are frequently abused by fraudsters to intercept one-time passwords via SMS or notifications, as well as spy on screen content (they are RECEIVE_SMS, READ_SMS, BIND_Notifications, and Accessibility),” Google said in a blog post.
After the pilot begins, Google said Play Protect will automatically block such installations with an explanation.
Google said it’s focusing on these particular sideload scenarious because — based on its analysis of major fraud malware families that exploit sensitive permissions — over 95 percent of suspicious installations came from these sources.
Google did not immediately respond to queries on when and where the feature will go live.
Google claimed that its existing fraud protection in India has saved more than $1.55 billion from financial scams since last year and has shown 41 million warnings for fraudulent transactions on Google Pay to Indian users. The Play Protect integration on Android devices also helped identify 10 million malicious apps globally, the company added. However, fraudsters still find ways to fool the system and attack gullible people in the world’s most populous country.
Google’s been taking a multi-level approach to the issue of fraud via mobile apps in India.
Last year, it announced a program called DigiKavach in India, where it works with firms and industry organizations in the financial sector to limit financial scams. The company also partnered with the Indian Cyber Crime Coordination Centre and onboarded Google Pay onto the Indian government’s National Cyber Crime Reporting portal to get critical signals and help investigate fraudulent financial activities.
The situation has been dire, however. In 2022, TechCrunch reported on how predatory loan apps in India were resulting in cases of people committing suicide. The central bank and government agencies introduced different measures to mitigate the risk of people being targeted by these apps. Nonetheless, fraudsters still find loopholes in the system to attack their prey.
Alongside the Play Protect update, Google Thursday announced it would launch a new Google Safety Engineering Center in India in 2025 that the company claimed to be “aimed at building and advancing security and online safety products and solutions.”
The center will have Google’s safety engineers working with local policy experts, government partners, and academia to address the country’s “online safety challenges, focusing on protecting users from threats like scams and fraud, bolstering enterprise and government security, and advancing cutting-edge research and development.”