Why Google Is Suddenly Blocking Some Android Users From Sideloading Apps

Right from the start, Android has allowed you to install any software you come across on the internet, provided you aren't deterred by the prominent and increasingly scary warnings. Google is testing a new tactic to prevent the spread of mobile malware, but it's somewhat more draconian than its past efforts. The new pilot program in Singapore will completely block the installation of some sideloaded apps in the name of security.

Google says it's working with the Cyber Security Agency of Singapore (CSA) to roll the new security feature out in the coming weeks. When it's live, users downloading APK files from third-party sources may find some of them won't work. Google is targeting a collection of permissions that are commonly used in malware, particularly financial fraud. Here are the risky permissions.

• RECEIVE_SMS: Malware uses this permission to intercept two-factor codes to access the victim's accounts.
• READ_SMS: Used to read the two-factor codes in received SMS messages.
• BIND_Notifications: Can read or dismiss notifications, potentially hiding the malware's activity from the user.
• Accessibility: A service usually aimed at helping people with disabilities use their devices, Accessibility can also allow malware to emulate taps and monitor user activities.

Google recently deployed real-time scanning in Play Protect for users in India, Thailand, Brazil, and Singapore. It says those scans have revealed some 515,000 unwanted apps and blocked more than 3.1 million installations. Many of those apps use the above permissions to orchestrate scams, and 95% of those installations came from sideloading. Accessibility in particular is a long-time security risk, but it's also hugely useful. Not to mention, Google Play is not immune from malware infiltration. 

According to Google, a downloaded APK file that declares any of those dangerous permissions won't be installed. Users will get an explanation of the block, but there won't be an option to bypass, which might annoy people who've gotten used to installing any ill-advised app they might come across. There will be no change for apps installed from the Google Play Store, and the installation blocks will only be deployed on Google-certified Android devices with Play Services.

Google says it will work with the CSA to monitor the results of the pilot program. Google didn't mention any plans to expand the test, but that could come after the Android maker better understands the impact of blocking these sideloaded apps. In the meantime, it advises developers to make sure their apps only declare the permissions they absolutely need.