Android 15 Rolls Out Advanced Features to Protect Users from Scams and Malicious Apps

Google is unveiling a set of new features in Android 15 to prevent malicious apps installed on the device from capturing sensitive data.

This constitutes an update to the Play Integrity API that third-party app developers can take advantage of to secure their applications against malware.

“Developers can check if there are other apps running that could be capturing the screen, creating overlays, or controlling the device,” Dave Kleidermacher, vice president of engineering for Android security and privacy, said.

“This is helpful for apps that want to hide sensitive information from other apps and protect users from scams.”

Additionally, the Play Integrity API can be used to check if Google Play Protect is active and if the user’s device is free of known malware before performing sensitive actions or handling sensitive data.

Google, with Android 13, introduced a feature called restricted settings that by default blocks sideloaded apps from accessing notifications and requesting accessibility services permissions.

In the latest iteration of the mobile operating system, the feature is being expanded by seeking user approval prior to enabling permissions when installing an app via sideloading from web browsers, messaging apps, and file managers.

“Developers can also opt-in to receive recent device activity to check if a device is making too many integrity checks, which could be a sign of an attack,” Kleidermacher added.

The changes are squarely aimed at Android banking trojans that are known to abuse their permissions to the accessibility services API to perform overlay attacks and turn off security mechanisms on the device to harvest valuable data.

That said, Android malware such as Anatsa has been observed circumventing restricted settings in recent months, indicating continued efforts on the part of threat actors to devise ways to breach security guardrails.

“We’re continuously working on improving and evolving our protections to stay ahead of bad actors,” a Google spokesperson told The Hacker News.

“We recently began piloting enhanced fraud protection with Google Play Protect, in countries where internet-sideloaded malicious app installs are prevalent. Enhanced fraud protection will block installs from Internet-sideloaded sources (messaging apps, websites, file managers), that use permissions commonly abused for financial fraud. This pilot is live in Singapore and Thailand.”

Alongside efforts to combat fraud and scams, Google is also stepping up cellular security by alerting users if their cellular network connection is unencrypted and if a bogus cellular base station or surveillance tool (e.g., stingrays) is recording their location using a device identifier.

The tech giant said it’s working closely with ecosystem partners, including original equipment manufacturers (OEMs), to enable these features to users over the next couple of years.

That’s not all. The company is tightening controls for screen sharing in Android 15 by automatically hiding notification content, thus preventing one-time passwords (OTPs) sent via SMS messages from being displayed during screen sharing.

“With the exception of a few types of apps, such as wearable companion apps, one-time passwords are now hidden from notifications, closing a common attack vector for fraud and spyware,” Kleidermacher said.

Rounding off the new fraud and scam protection features, Google said it’s diversifying Play Protect’s on-device AI capabilities with live threat detection to better identify malicious apps. The approach leverages the Private Compute Core (PCC) infrastructure to flag anomalous patterns on the device.

“With live threat detection, Google Play Protect’s on-device AI will analyze additional behavioral signals related to the use of sensitive permissions and interactions with other apps and services,” Kleidermacher said.

“If suspicious behavior is discovered, Google Play Protect can send the app to Google for additional review and then warn users or disable the app if malicious behavior is confirmed.”

Live threat detection also builds on a recently added capability that allows for real-time scanning at the code-level to combat novel malicious apps and help spot emerging threats.