Full Report
Posted by Lyubov Farafonova, Product Manager, Phone by Google; Alberto Pastor Nieto, Sr. Product Manager Google Messages and RCS Spam and Abuse Google has been at the forefront of protecting users from the ever-growing threat of scams and fraud with cutting-edge technologies and security expertise for years. In 2024, scammers used increasingly sophisticated tactics and generative AI-powered tools to steal more than $1 trillion from mobile consumers globally, according to the Global Anti-Scam Alliance. And with the majority of scams now delivered through phone calls and text messages, we’ve been focused on making Android’s safeguards even more intelligent with powerful Google AI to help keep your financial information and data safe. Today, we’re launching two new industry-leading AI-powered scam detection features for calls and text messages, designed to protect users from increasingly complex and damaging scams. These features specifically target conversational scams, which can often appear initially harmless before evolving into harmful situations. To enhance our detection capabilities, we partnered with financial institutions around the world to better understand the latest advanced and most common scams their customers are facing. For example, users are experiencing more conversational text scams that begin innocently, but gradually manipulate victims into sharing sensitive data, handing over funds, or switching to other messaging apps. And more phone calling scammers are using spoofing techniques to hide their real numbers and pretend to be trusted companies. Traditional spam protections are focused on protecting users before the conversation starts, and are less effective against these latest tactics from scammers that turn dangerous mid-conversation and use social engineering techniques. To better protect users, we invested in new, intelligent AI models capable of detecting suspicious patterns and delivering real-time warnings over the course of a conversation, all while prioritizing user privacy. Scam Detection for messages We’re building on our enhancements to existing Spam Protection in Google Messages that strengthen defenses against job and delivery scams, which are continuing to roll out to users. We’re now introducing Scam Detection to detect a wider range of fraudulent activities. Scam Detection in Google Messages uses powerful Google AI to proactively address conversational scams by providing real-time detection even after initial messages are received. When the on-device AI detects a suspicious pattern in SMS, MMS, and RCS messages, users will now get a message warning of a likely scam with an option to dismiss or report and block the sender. As part of the Spam Protection setting, Scam Detection on Google Messages is on by default and only applies to conversations with non-contacts. Your privacy is protected with Scam Detection in Google Messages, with all message processing remaining on-device. Your conversations remain private to you; if you choose to report a conversation to help reduce widespread spam, only sender details and recent messages with that sender are shared with Google and carriers. You can turn off Spam Protection, which includes Scam Detection, in your Google Messages at any time. Scam Detection in Google Messages is launching in English first in the U.S., U.K. and Canada and will expand to more countries soon. Scam Detection for calls More than half of Americans reported receiving at least one scam call per day in 2024. To combat the rise of sophisticated conversational scams that deceive victims over the course of a phone call, we introduced Scam Detection late last year to U.S.-based English-speaking Phone by Google public beta users on Pixel phones. We use AI models processed on-device to analyze conversations in real-time and warn users of potential scams. If a caller, for example, tries to get you to provide payment via gift cards to complete a delivery, Scam Detection will alert you through audio and haptic notifications and display a warning on your phone that the call may be a scam. During our limited beta, we analyzed calls with Gemini Nano, Google’s built-in, on-device foundation model, on Pixel 9 devices and used smaller, robust on-device machine-learning models for Pixel 6+ users. Our testing showed that Gemini Nano outperformed other models, so as a result, we're currently expanding the availability of the beta to bring the most capable Scam Detection to all English-speaking Pixel 9+ users in the U.S. Similar to Scam Detection in messaging, we built this feature to protect your privacy by processing everything on-device. Call audio is processed ephemerally and no conversation audio or transcription is recorded, stored on the device, or sent to Google or third parties. Scam Detection in Phone by Google is off by default to give users control over this feature, as phone call audio is more ephemeral compared to messages, which are stored on devices. Scam Detection only applies to calls that could potentially be scams, and is never used during calls with your contacts. If enabled, Scam Detection will beep at the start and during the call to notify participants the feature is on. You can turn off Scam Detection at any time, during an individual call or for all future calls. According to our research and a Scam Detection beta user survey, these types of alerts have already helped people be more cautious on the phone, detect suspicious activity, and avoid falling victim to conversational scams. Keeping Android users safe with the power of Google AI We're committed to keeping Android users safe, and that means constantly evolving our defenses against increasingly sophisticated scams and fraud. Our investment in intelligent protection is having real-world impact for billions of users. Leviathan Security Group, a cybersecurity firm, conducted a funded evaluation of fraud protection features on a number of smartphones and found that Android smartphones, led by the Pixel 9 Pro, scored highest for built-in security features and anti-fraud efficacy1. With AI-powered innovations like Scam Detection in Messages and Phone by Google, we're giving you more tools to stay one step ahead of bad actors. We're constantly working with our partners across the Android ecosystem to help bring new security features to even more users. Together, we’re always working to keep you safe on Android. Notes Based on third-party research funded by Google LLC in Feb 2025 comparing the Pixel 9 Pro, iPhone 16 Pro, Samsung S24+ and Xiaomi 14 Ultra. Evaluation based on no-cost smartphone features enabled by default. Some features may not be available in all countries. ↩
Analysis Summary
Based on the provided context, which is an introductory snippet to a Google Online Security Blog post about new AI-powered scam detection features on Android, the specific, actionable security recommendations are limited because the detailed technical content of the article is truncated.
However, we can extract and extrapolate high-level security postures applicable when utilizing platforms with advanced, AI-driven security features like the one described. The focus will be on ensuring these protective mechanisms are active and leveraging platform security capabilities.
# Best Practices: Leveraging AI-Powered Threat Detection on Android Endpoints
## Overview
These practices focus on maximizing the effectiveness of modern, AI-driven security features (like those introduced by Google on Android) to detect and prevent sophisticated scams, malware, and phishing attempts delivered via mobile devices.
## Key Recommendations
### Immediate Actions
1. **Ensure Automatic Updates are Enabled:** Verify that the Android operating system and Google Play Services are set to update automatically to immediately receive the latest protection models and AI signature databases for scam detection.
2. **Activate Real-Time Protection:** Confirm that core security components, such as Google Play Protect, are running in their most active or "real-time" scanning mode to ingest and utilize the newest AI-powered scam detection features as soon as they are deployed.
3. **Review Device Security Status:** Immediately check the device's built-in security dashboard (e.g., in Pixel or standard Android settings) to ensure all security features are reported as "On" and functioning correctly.
### Short-term Improvements (1-3 months)
1. **Monitor and Validate App Permissions:** Conduct a review of all installed third-party applications, revoking unnecessary permissions, especially those related to accessibility services, SMS, and call history, which scammers frequently exploit.
2. **User Education on AI Limitations:** Distribute internal communications to users emphasizing that while AI protection is robust, it is not infallible. Educate staff to remain vigilant against social engineering tactics that bypass technical controls (e.g., urgent calls, spoofed identities).
3. **Secure Boot Chain Integrity:** For managed devices (especially Pixel devices leveraging Titan M2), regularly verify that the hardware root of trust and secure boot processes are operational, as these underpin the integrity of the AI security modules.
### Long-term Strategy (3+ months)
1. **Standardize on Latest OS Versions:** Establish a policy mandating the use of Android versions supported by the latest security enhancements (e.g., those supporting Private Compute Core features where applicable for enhanced privacy-preserving AI).
2. **Integrate Endpoint Telemetry:** If applicable (in enterprise environments), investigate methods to feed aggregated, anonymized threat telemetry back into the platform's security ecosystem to help further train and improve the AI models organization-wide.
3. **Establish Incident Response Playbook for Mobile Scams:** Develop specific procedures for handling incidents where a user successfully bypasses AI detection (e.g., responding to successful phishing credential theft or malware installation via sideloaded applications).
## Implementation Guidance
### For Small Organizations
- **Rely Heavily on Default Settings:** Ensure all endpoint devices are configured to use the manufacturer's default security settings, as these are typically optimized to leverage Google's latest defensive releases immediately.
- **Mandate Google Play Store Use:** Prohibit or severely restrict the sideloading of applications (installing apps from sources other than the Google Play Store) to maintain the integrity of the security ecosystem scan results.
### For Medium Organizations
- **Utilize Mobile Device Management (MDM):** Deploy an MDM solution to centrally enforce immediate minimum OS requirements, ensuring all devices adopt the hardware and software prerequisites necessary for the latest AI protections to function optimally.
- **Pilot New Features:** If new security releases are optional, use a pilot group to validate the impact of AI features on productivity before full deployment across the organization.
### For Large Enterprises
- **Harden Private Compute Core Usage:** Where endpoint devices support it, ensure that sensitivity controls are correctly configured for workloads utilizing the Private Compute Core to maintain data isolation during on-device AI processing.
- **Vulnerability Reporting Pipeline:** Formalize a process to report potential zero-day or novel scam vectors observed in the wild to Google's security teams, contributing to the faster adaptation of the global AI models.
## Configuration Examples
*No specific configuration syntax was provided in the truncated article text.*
## Compliance Alignment
While the article focuses on consumer/platform security enhancements, the features generally align with the principles of:
- **NIST SP 800-53 (Rev. 5):** SC (System and Communications Protection) controls regarding access control and boundary protection, and RA (Risk Assessment) controls related to continuous monitoring.
- **ISO/IEC 27002:** Controls related to protecting endpoints, user awareness, and secure system engineering.
- **CIS Benchmarks for Mobile:** Emphasis on patch management and restricting non-approved application sources.
## Common Pitfalls to Avoid
- **Ignoring System Updates:** Assuming that security updates are optional or can be postponed indefinitely, thereby losing access to critical, newly trained AI scam detection models.
- **Over-relying on User Vigilance Alone:** Believing that training can completely substitute for modern automated defense layers provided by the platform and AI systems.
- **Disabling Built-in Security Services:** Turning off Google Play Protect or similar services in an attempt to improve performance or install unauthorized enterprise tools, which cripples the advanced defenses.
## Resources
- **Google Online Security Blog:** Provides ongoing context for new security features.
- **Google Play Protect Documentation:** Official documentation on how the scanning service operates.
- **Android Security Bulletins:** For tracking the underlying OS security patches that enable these higher-level AI features.