You're forgetting the installation ("sideloading", what everyone else calls installation) restrictions they are about to deploy. It will be a significant hassle to install anything without Google's approval. Many F-droid apps are showing warning notices about this upcoming change.
Good, it shouldn't be two clicks for elderly people to install trojans on their phone that then drain their bank account. There should be some explicit confirmation that the user knows what they are doing and they are not being scammed. It is long overdue.
> Good, it shouldn't be two clicks for elderly people to install trojans on their phone that then drain their bank account.
And what makes you think that most scams involve fancy zero days/CVEs/hijacking the OS, and not simple social engineering?
You do not require a malicious apk to receive 2FA codes, or for the gullible user to read them aloud to the scammer. All phones come with an SMS and phone app.
You do not require a malicious apk to send transactions in banking apps (eg tricking people selling their product to send the money.)
You do not require a malicious apk to engage in a pig butchering scam, or to buy gift cards.
> There should be some explicit confirmation that the user knows what they are doing and they are not being scammed. It is long overdue.
I agree. Social engineering counters should have awareness raised by the governments. But blocking 3rd party apps for this is like using a cannon to shoot a mosquito. I'm not sure it makes the slightest of sense.
> We can and should address more than one problem at a time.
Very much agree. Here in India, one of the big telecos has now rolled out a system where if you're on a call with an unknown number, OTPs are not sent to the phone till the call ends. IMO systems like this (or ironically - using OEM installed on device AI as a MITM to stop a call when an OTP is heard) are very good ideas.
> Malicious APKs are a real problem that exists. I work tangentially in this space.
Not doubting it for a moment. I've myself installed an app (that in my defense I pretty much suspected to be malware) that was malware. Even a few weeks ago I helped someone remove a hidden app that was draining their battery like anything (idk doing what, crypto mining or something I guess?). Ofc this app had accessibility permissions and would close settings if you tried to uninstall it.
On the flip side, I've also been stopped by my own phone to give accessibility permissions... to TapTap (a FOSS app by legendary developer quinny98) [1].
I should probably add - here in India, UPI scams use(d?) to be very common, let alone "giving someone your OTP" scams. I personally know someone very close who's lost a good bit of money, purely via someone social engineering them to hand over OTPs.
Even today, scamsters call and threaten a "digital arrest" (whatever the fuck that is) to unsuspecting victims. Presumably many hand over their money.
I have absolutely nothing against technical solutions. But IMO social education to never install apps from outside the play store, combined with "Digital Arrest does not exist" ads that the Indian govt is already running, are significantly stronger and resistant to much more things (like I mentioned - pig butchering or gift card scams).
I would be very curious if you had stats for how much is lost to scams via social engineering, vs malware. I asked Gemini (I can share the chat link via some private method of communication if you're interested), and apparently per IC3, it's 13.7B USD for social engineering, vs 1.57B USD for malware. If you have better data, I'd be happy to know more.
> I’d agree, if that was what was going to happen. But it isn’t. Google is not going to block 3rd party apps.
Perhaps I'm a cynical guy (which is true!), but I see zero reason to give google the benefit of doubt when it comes to control. I understand you're perhaps a googler (or you work on the same side) - nothing against it at all. Hardening is 100% helpful.
But companies famously like to increase revenue, and do not care about users. Every app on the play store (and btw there are a ton of scammy ones - I know because I get their ads on Youtube :) nets google some money. There's nothing stopping google from going "Actually we decided to stop all apk installs as people get scammed by them" tomorrow?
There is no fundamental reason to believe them beyond trusting them at their word. And there are many reasons to not believe them, unfortunately.
IMO, the old adage holds true - beating tech is hard, beating humans (with a wrench ;) is easy. Aka, XKCD 538.
I am not a Googler and I am not fond of Google, but I don't have any reason to think that the changes they have proposed are some elaborate fabrication.
A decent amount of this fraud is not solely malware or solely social engineering -- there's often elements of both -- where they fool the person into installing the malware which helps to further facilitate the scheme. And in these cases, urgency is often used as part of the SE vector. So I think a 24 waiting period and warning about scams is particularly a good idea to mitigate these issues.
"This APK cannot be scanned and its safety cannot be verified. Learn more/go back" and "learn more" has a link that looks like nothing but is actually a button to actually install the app.
I can think of some easier things, for example popping up a dialog, pressing "install" and having my all actually be installed after that.
You're saying it should look like those damned browser certificate failure sites, with option to open the damn site hidden under button that looks like an unassuming link?
