Financial fraud and online scams have become a new reality in today’s digital-savvy world, especially in a smartphone-heavy market like India where malware targeting smartphones is steadily becoming more complex. This has made Google’s Android, the most popular mobile operating system powering most smartphones in India, a prime target for malware makers. As cybercriminals improve their attacks' efficiency, Google is changing how it designs and builds security features on its smartphones, enhancing screening tools to detect malware and illicit activities. The Indian Express' Anuj Bhatia spoke to Eugene Liderman, Director, Mobile Security Strategy, Google, on the sidelines of the Google for India event to discuss how one of the world’s biggest tech companies is working to protect users’ smartphones from online banking fraud and 'sophisticated' Android malware, staying one step ahead of bad actors’ schemes to sneak into our devices. Here are the edited excerpts from the interview with Liderman: Q: Android users in India will automatically be blocked from installing apps from unverified sources with a new security feature that Google plans to roll out in the coming weeks. Can you tell us more about this feature and how Google is keeping up with new types of fraud? After all, scammers are constantly finding new ways to install malware on smartphones. Liderman: It’s part of a pilot where the feature is integrated within Google Play Protect. When a user tries to install an app on their phone, Google Play Protect will do two things: first, it will check the source of the installation—whether it’s coming from a browser, a messaging app, or a file manager—and then determine whether the app is requesting permissions that are highly correlated with financial fraud. The goal is to allow users to install apps from outside of any app store if they choose to, but when this risky combination of factors occurs, we will take action. A good example is WhatsApp. In this case, the app’s APK was sent to the user, and since WhatsApp doesn’t provide any warning, once they enabled this permission, Google Play Protect scanned the app. Because it came from WhatsApp as the installation source and requested these permissions, it was automatically blocked. India isn’t the first country where we're doing this. We’ve already run pilots in other markets, including Singapore, Thailand, and Brazil. The pilot works on any device running Android 6 or newer that has Google services. This means even the cheapest phones in the world will have this functionality enabled by default, as long as they have Google services. Users won’t have to do anything to turn it on; it will be activated by default. Q: Has the rise of financial fraud in India and the increasing prevalence of mobile malware prompted Google to update the screening process for verifying apps before they are submitted for approval, especially in categories like loan, stock, and similar financial apps? Liderman: We have a very rigorous process, but unfortunately, there are no policies for what we call internet-side-loaded sources, like browsers, messaging apps, or file managers. It’s the wild west when it comes to that. It’s not a Google Play issue. These apps are not being distributed through Google Play. When it comes to financial fraud, unfortunately, many of these apps may not be considered purely malicious. They could appear as very simple apps that merely access permissions and collect data, which, by default, definitively looks like malware. That’s why this pilot takes a more proactive, but highly targeted approach. It’s not looking at every app or every install source, but a very small subset of apps that are using these specific permissions. The data has shown that when these permissions are used, and the apps are distributed through internet-side-loaded sources like browsers, messaging apps, and file managers, there is a high correlation with financial fraud. Q: How frequently does Google design security features with India in mind? For example, the OTP protection feature which is being introduced in Android 15. Liderman: India is an important market to monitor trends and determine how we can continue to protect users. We collaborate not just with various organisations but also across different functions. Specifically for this pilot, we have been working closely with numerous cross-functional stakeholders like HDFC, as well as the Fintech Association for Consumer Empowerment. In fact, India and Brazil have developed an interesting reputation as proofing grounds for different scam tactics, which are then applied more broadly. Q: Does Google analyse popular scams and use them as data points to design security features? Liderman: Google is a very analytical company. Yes, we look at various scams. We're constantly monitoring different types of malware and evolving based on new trends. The thing is because scammers often evolve their tactics, especially as the platform gets locked down in certain ways, this is an important consideration. If you look at how they are applying malware today, it’s not the most sophisticated method. Instead, it often involves tricking the user into ignoring warnings and then having them install something or share their screen. We have taken a more concerted approach, particularly regarding financial fraud and malware. We recognise that finances are very important, so we need to adopt a more restrictive and proactive approach, rather than relying solely on warnings since scammers often trick users into ignoring those warnings. Q: Is it true that bad actors often target low-end smartphone users with malware versus high-end smartphones? Liderman: When it comes to financial fraud, I don't think scammers care much about the type of device. They tend to use a "spray and pray" approach rather than targeting specific devices. Unfortunately, these scammers can be viewed as salespeople. They use a funnel system, and want to get as many people into the funnel as possible to maximise their returns. However, when it comes to high-risk targets, such as politicians or journalists, that’s a different scenario, they employ very targeted strategies, looking for specific device exploits and potentially targeting different types of devices. In contrast, financial fraud they don’t care about the device; they aren’t focused on a specific user. They are simply trying to trick whoever they can find.
