Full Report
At the Android Show on Tuesday, ahead of Google I/O, Google announced new security and privacy features for Android. These new features include new protections for calls, screen sharing, messages, device access, and system-level permissions. With these features, Google aims to protect users from falling for a scam, keep their details secure in case a […]
Analysis Summary
# Best Practices: Android Security Enhancements Against Scams and Theft
## Overview
These practices summarize new security and privacy features announced by Google for Android, designed to proactively protect users from various scams (e.g., social engineering via calls/screen sharing) and to secure devices against theft or unauthorized takeover by blocking risky system actions.
## Key Recommendations
### Immediate Actions
1. **Ensure Google Play Protect is Active:** Verify that Google Play Protect is enabled and running on all devices (Android 6 and later), as the system will now prevent disabling it when a user is engaged in a suspicious call.
2. **Educate Users on Screen Sharing Risks:** Immediately inform users that sharing their screen during calls, especially with unknown numbers, is a high-risk activity that may enable scammers to gain control or view sensitive information.
3. **Review App Permissions:** Review any apps that hold **Accessibility Permissions** and identify the necessity of these permissions, as granting them can allow a remote attacker (via a scammer) to take over the device.
### Short-term Improvements (1-3 months)
1. **Update Android OS:** Ensure all eligible devices are running the latest Android version (specifically Android 16 features will be relevant for maximum protection, and Android 11+ for bank warnings) to benefit from integrated scam warnings during calls and screen sharing.
2. **Test Screen Sharing Warnings (If Applicable):** If operating in the UK or planning to integrate with partner banking applications, begin testing the new warning screen that surfaces when opening a partner bank app while sharing the screen on a call with an unknown number (requires Android 11+).
3. **Implement Messaging Protection Updates:** Apply updates to Google Messages to leverage enhanced protection against scams delivered through messaging platforms.
### Long-term Strategy (3+ months)
1. **Establish Device Transfer Protocol:** Develop and enforce organizational policies regarding device recovery and transfer that account for enhanced security checks, especially around sideloading and accessibility permissions, to prevent takeover during potential compromise scenarios.
2. **Continuous User Security Training:** Integrate lessons learned from these new protections (e.g., risks of sideloading, danger of granting accessibility access during unknown calls) into ongoing mandatory security awareness training programs.
## Implementation Guidance
### For Small Organizations
- **Prioritize Updates:** Focus organizational resources on ensuring all employee devices are promptly updated to the latest stable Android release to gain immediate access to built-in protection layers against fraudulent calls and screen sharing.
- **Manual Audits:** Since automated systems may be limited, conduct quarterly manual reviews of accessibility permissions granted to non-standard applications on critical devices.
### For Medium Organizations
- **Device Management Policies:** Leverage Mobile Device Management (MDM) solutions to enforce baseline security settings, ensuring Google Play Protect cannot be disabled on managed endpoints.
- **Targeted Communication:** Conduct mandatory training sessions specifically detailing the new risks associated with call/screen-sharing scenarios and how the new OS features act as defensive layers.
### For Large Enterprises
- **Integration Validation:** If internal applications rely on accessibility services, collaborate with developers to ensure functionality remains intact while security barriers are being placed by the OS, especially concerning banking/financial workflows.
- **Telemetry Monitoring:** Establish monitoring to identify repeated attempts by malicious actors to gain device control via social engineering tactics that trigger the new Android safeguards (e.g., repeated failed sideload attempts during suspicious activity windows).
## Configuration Examples
The provided context indicates system-level feature rollouts rather than user-configurable settings, but the key technical enforcement points are:
* **For Android 16 (and later):** System interception and blocking of:
* Sideloading an app for the first time from unverified sources (web browser, messaging apps).
* Granting Accessibility permissions to an app **while on a call**.
* **System Enforcement (Android 6+):** Prevention of disabling Google Play Protect **while on a call**.
* **Screen Sharing Interruption (Android 11+ with specific partner banks):** Triggering an immediate warning screen with an option to end screen sharing when a partner bank application is opened during a call with an unknown number.
## Compliance Alignment
While these are vendor-specific OS features, they support general security controls required by various frameworks:
* **NIST CSF:** Aligns with **Protect (PR.IP, PR.AC)** control families by hardening the endpoint against access attempts and preventing risky actions.
* **ISO 27001/27002:** Supports Annex A controls related to **Access Control** and **Operational Security**, particularly by controlling application installation and privileged permission assignment.
* **CIS Controls:** Supports controls related to **Application Software Security** and **Endpoint Device Security**, by providing default hardening against vulnerable configurations.
## Common Pitfalls to Avoid
1. **Ignoring OS Updates:** Assuming newer Android security features are automatically in place without updating the OS to the required versions (e.g., Android 11 for bank warnings, Android 16 for broader protections).
2. **Over-reliance on User Action:** Believing that warnings alone are sufficient protection. These features provide *system-level blocks* which are more robust than simple user alerts.
3. **Bypassing Accessibility Security:** Assuming accessibility permissions are benign. Scammers frequently exploit this permission (often during remote assistance sessions initiated via a scam call) to achieve full device control; vigilance here is critical.
## Resources
- Official Google/Android Developer Documentation regarding recent security releases (e.g., relating to Android 16 security features).
- Mobile Device Management (MDM) documentation for enforcing Play Protect status and configuration policies.