Full Report
Google is working to enhance the security of its mobile operating system, focusing on preventing scammers from exploiting certain phone features during calls. One key feature of Android 16 aims to block actions like sideloading apps or enabling accessibility access during an active phone call, both of which are commonly used by scammers to gain control of victims’ devices. The growing prevalence of online scams, fueled by advanced tools like AI-driven speech synthesis, has put many users at risk. Scammers are increasingly relying on psychological manipulation to convince unsuspecting individuals to share personal information, send money, or install harmful apps. This has prompted Google to develop a new security feature for Android 16 to make it harder for scammers to succeed. Through this update, Android 16 prevents users from changing certain sensitive settings while they’re on a call. Two of the most targeted settings by scammers are sideloading apps and enabling accessibility access. Sideloading, which allows apps to install other apps from sources outside the Google Play Store, is often used to distribute malware. Accessibility access, on the other hand, gives apps the power to read a user’s screen and perform actions on their behalf, essentially handing over control of the device. How the Feature Works in Android 16 Beta 2 Google has already rolled out these in-call protections in Android 16 Beta 2, offering users a preview of the upcoming feature. During an active phone call, Android will now block any attempts to sideload apps or grant accessibility access. This is particularly important since scammers typically try to walk victims through the sideloading process over the phone. A closer look at Android 16 Beta 2 reveals a warning message that appears when users attempt to enable the sideloading feature during a call. The message advises users that this action is commonly requested by scammers and urges caution when guided by unknown callers. This alert could serve as a red flag, prompting users to reconsider the legitimacy of the call. Furthermore, sideloading permissions are disabled by default, adding another layer of protection. Added Protection Against Malicious Permissions Even if a victim has already enabled sideloading or downloaded a malicious app, Android 16 goes further by blocking the granting of accessibility access during calls. This step is crucial because, once an app has this level of control, it can take over the phone and compromise the user’s privacy and security. Malicious apps that gain access to these permissions can perform harmful actions on behalf of the user, including stealing sensitive data or even locking the user out of their device. By preventing these changes during phone calls, Google aims to thwart scammers who attempt to install malware or access critical permissions during a conversation. The Growing Threat of Online Scams As online scams become more sophisticated, scammers are increasingly relying on phone calls to manipulate and defraud individuals. These scams often target older adults or those unfamiliar with digital security practices. The psychological tactics used by scammers—such as creating a sense of urgency or fear—can be highly effective in tricking victims into complying with their demands. Scammers might ask victims to install apps that promise to help with a supposed issue, such as a fraudulent tech support call. Once the app is installed, the scammer gains access to the victim's device, potentially leading to further exploitation. With the introduction of these new security features in Android 16, Google is taking a proactive stance against such tactics. By making it harder for users to sideload apps or grant dangerous permissions during phone calls, Android hopes to reduce the effectiveness of these scams. Conclusion The security measures in Android 16 Beta 2 are set to be part of the full Android 16 release later in 2025, building on previous updates like Android 15's Enhanced Confirmation Mode. As scammers become more sophisticated, these new features—such as blocking sideloading permissions and restricting accessibility during calls—represent a vital step in Google's ongoing effort to protect users. By introducing these protective layers, Android 16 not only strengthens defenses against online scams but also empowers users to stay safe.
Analysis Summary
# Best Practices: Mobile Device Security Against In-Call Scams (Focusing on Android Hardening)
## Overview
These practices address the proactive security enhancements introduced in operating system updates (like the features discussed in Android 16) designed to prevent social engineering and scamming attempts that rely on gaining unauthorized access or installing malicious applications during an active phone call. The core mechanism involves restricting sensitive actions on the device while a call is active.
## Key Recommendations
### Immediate Actions
1. **Disable "Install Unknown Apps" (Sideloading) for Non-Essential Applications:** Review all applications that have permission to install other applications (sideloading) and revoke this permission unless absolutely necessary (e.g., for trusted app stores or development tools).
2. **Review and Restrict Accessibility Permissions:** Immediately audit all installed applications to see which ones possess Accessibility Service permissions. Revoke these permissions from any app not explicitly requiring deep integration for legitimate assistive purposes.
3. **Educate Users on Real-Time Call Context:** Inform all users that legitimate support or service representatives will *never* demand immediate installation of apps or changes to security settings during a live phone call.
### Short-term Improvements (1-3 months)
1. **Enforce Enhanced Operating System Updates:** Establish a policy to ensure all corporate and personal (if applicable) mobile devices are updated to the latest stable operating system version (e.g., migrating to Android 16 upon stable release) to inherit native security features blocking malicious call-time modifications.
2. **Implement Device Health Checks:** Deploy Mobile Device Management (MDM) solutions to monitor device configuration statuses, specifically alerting administrators if apps are granted sensitive permissions (like Accessibility or Install Unknown Apps) outside of approved deployment channels.
3. **Conduct Targeted Anti-Scam Training:** Schedule mandatory, recurring training sessions specifically focused on social engineering tactics used over voice calls, emphasizing the danger of following unsolicited instructions during a conversation.
### Long-term Strategy (3+ months)
1. **Adopt Zero Trust Principles for Mobile Access:** Ensure that no application or user is implicitly trusted. Require re-authentication or explicit secondary confirmation for sensitive actions, even if triggered by an authenticated session (a concept reinforced by confirmation modes mentioned in related updates).
2. **Standardize Secure Application Deployment:** Mandate that all organizational applications are deployed strictly through managed app stores or enterprise Mobile Application Management (MAM) solutions, rendering the "sideloading" path irrelevant for corporate assets.
3. **Develop an Incident Playbook for Voice-Based Compromise:** Create a clear, step-by-step procedure for users and IT teams covering immediate isolation, logging, and remediation steps if a user suspects they were coerced into granting permissions or installing software during a fraudulent call.
## Implementation Guidance
### For Small Organizations
- **Prioritize User Education:** Focus resources on highly visible and frequent training regarding fear-based tactics (e.g., "Your account is suspended," "We detected a virus").
- **Manual Review:** Since MDM might be costly, implement a quarterly manual security audit checklist for employee devices (if BYOD is involved), ensuring no suspicious sideloading apps are present.
### For Medium Organizations
- **Pilot MDM Deployment:** Begin deploying MDM tools to centrally manage security configurations, focusing initially on blocking all sideloading capabilities by default across the fleet.
- **Implement Pre-Call Security Checks:** Use security questionnaires or alerts before allowing users to install new administrative apps, irrespective of the time frame, forcing a pause point.
### For Large Enterprises
- **Integrate OS Features with Policy Enforcement:** Develop scripts or configurations within your MDM/EMM platforms to ensure that the *behavioral restrictions* introduced by new operating systems (like restricting permission changes during calls) are universally enforced and logged system-wide.
- **Establish Vendor Contracts for Emergency Patching:** Ensure SLAs are in place with mobile vendors/carriers to receive critical security updates immediately, minimizing the window between OS security feature release and organizational deployment.
## Configuration Examples
*While specific Android 16 APIs are not fully detailed, the concept implies the following underlying configuration enforcement:*
| Security Control | Action During Call State | Rationale |
| :--- | :--- | :--- |
| **Install Unknown Apps** | System Permission Granting Disabled | Prevents scammers from instructing the user to enable this setting to install malicious APKs. |
| **Accessibility Service Activation** | API calls to grant new service permissions blocked or flagged with high friction confirmation. | Thwarts installation of screen-reading or input-overlay malware designed to capture credentials. |
| **System Settings Modification** | Prevent non-privileged apps from accessing system settings intent handlers. | Halting remote configuration changes requested by the scammer. |
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Primarily aligns with the **Protect (PR)** Function (PR.IP - ID protection, PR.DS - Data Security, PR.AC - Access Control) through preventative technical controls.
- **ISO/IEC 27001:** Aligns with **A.12 Operational Security** (specifically controls related to malware prevention and secure system engineering).
- **CIS Controls:** Aligns with **Control 4: Secure Configuration of Enterprise Assets and Software** (ensuring operating systems are configured securely) and **Control 17: Application Software Security** (if custom enterprise apps are involved).
## Common Pitfalls to Avoid
1. **Assuming OS Updates Are Automatic:** Do not rely solely on user action for OS upgrades; actively manage and verify deployment to leverage new security features like those in Android 16.
2. **Over-Permissive BYOD Policies:** Relaxing security controls because the device is not company-owned allows scammers a direct line into compromised user accounts that may have access to corporate resources.
3. **Ignoring the Voice Vector:** Focusing entirely on phishing emails and web threats while neglecting sophisticated voice social engineering (vishing/scams) leaves a major gap, as scammers are proving highly effective in this channel.
## Resources
- **Android Security Bulletins:** (Defanged URL format) Monitor major platform updates for security enhancement release notes.
- **CISA Alerts:** Check CISA advisories for emergent threats involving mobile device compromise techniques.
- **MDM/EMM Vendor Documentation:** Consult platform-specific guides for enforcing application permission restrictions device-wide.