Singapore Pilot Google Fraud

Google to block sideloading in Singapore in new financial fraud pilot 

In a bid to protect Android users from financial scams, Google is launching a pilot program in partnership with the Cyber Security Agency of Singapore (CSA) to prevent users from sideloading certain apps in Singapore.

The enhanced security feature, part of Google Play Protect, will analyse and automatically block the installation of apps that abuse Android permissions from reading one-time passwords received via SMS or notifications. 

Singapore Google Fraud Pilot Explained
Image courtesy of Google

According to Google, there are four sets of permissions that fraudsters exploit to commit financial fraud. These are: RECEIVE_SMS, READ_SMS, BIND_Notifications, and Accessibility.

“These permissions are frequently abused by fraudsters to intercept one-time passwords via SMS or notifications, as well as spy on-screen content,” the company wrote in a blog.

“Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 per cent of installations came from Internet-sideloading sources.”

Related reading: What is App Cloud? How do I delete it?

First of its kind in Singapore

The search giant said that as part of the pilot when a user in Singapore tries to install an app and any of the four permissions are declared, Google will automatically block the installation. This will be followed up with a pop-up message with an explanation that will read: “This app can request access to sensitive data. This can increase the risk of identity theft or financial fraud”.

The enhanced fraud protection has undergone testing by the Singapore government, Google said and will be rolled to Android devices with Google Play services.

The company added that during the pilot, the two parties will monitor the results of the pilot “to assess its impact and make adjustments as needed”.

“We will also support CSA by continuing to assist with malware detection and analysis, sharing malware insights and techniques, and creating user and developer education resources,” Google stated.

“We believe industry collaboration is essential to protect users from mobile security threats and fraud. Piloting these new protections will help us stay ahead of new attacks and evolve our solutions to defeat scammers and their expanding fraud attempts.”

Recommended reading: Forget hacked toothbrushes, worry about the rise in real DDOS attacks

Aimee Chanthadavong
Aimee Chanthadavong

Aimee Chanthadavong has been a journalist, editor and content producer for more than a decade. During that time she's covered enterprise technology for premium websites such as ZDNet and InnovationAus as well as food and travel for Broadsheet and SBS.

NEXT UP