zlacker

[return to "Google restricts Android sideloading"]
1. jeroen+n6[view] [source] 2025-06-05 17:11:16
>>fsflov+(OP)
What a weird thing to write a blog post about now. Did someone forget to hit publish on this back when it was written? The programme in question, announced a year and four months ago: https://security.googleblog.com/2024/02/piloting-new-ways-to...

AFAIK this only applies within Singapore (not sure if this applies to visiting devices) for apps requesting certain permissions (RECEIVE_SMS, READ_SMS, BIND_NOTIFICATIONS, and accessibility) downloaded outside of app stores (F-Droid is fine) and opened directly on the device (adb install is fine).

You can probably bypass the restriction by just disabling Play Protect if you don't want Google to tell you what you can and cannot install, but I'm not in Singapore so I can't confirm if that will work or not. That said, Google has made it impossible to disable Play Protect while on a call, that's probably a smart move.

Based on this article from the Singapore police, the approach doesn't seem to have helped much: https://www.police.gov.sg/media-room/news/20250417_police_ad...

> In some cases, before downloading the malicious APK file, victims would also be guided to disable Google Play Protect that helps to prevent harmful downloads. Once Google Play Protect is disabled, victims would not receive alerts that there is malware introduced into their mobile phones. Victims may also be asked to download Virtual Private Network (VPN) applications from Google Play Store which would facilitate scammers’ connection to their Android device. Scammers would then be able to bypass the banking anti-malware measures and remotely access the victims’ banking accounts with the phished ibanking login credentials.

◧◩
2. Pxtl+5f[view] [source] 2025-06-05 18:07:51
>>jeroen+n6
Worth noting - was that before or after Google started getting painful decisions in court battles on the App Store thing?

Because this is not going to be super positive for them on that front.

> victims would also be guided to disable Google Play Protect that helps to prevent harmful downloads.

I feel like there's only so much a company can do when it comes to balancing protecting users from themselves vs allowing users free rights over their own computers, especially when users have gotten habituated to ignoring incessant safety warnings caused by attempts to protect users.

I also keep wondering how safe the Play store is from this stuff. The very existence of obscenely detailed public GPS datasets about Android users show that even "official store" apps are somewhat malicious.

I don't see a real solution besides giving a smart and friendly 3rd party admin rights over the devices of susceptible users.

[go to top]