New Google Play policy cuts both ways

Apps that demand access to calls and SMS messaging without good reason are being kicked off Google Play. We explain what threats might arise.

Not long ago, Google Play introduced a new requirement for apps. Programs are no longer allowed to request access to calls and SMS messaging if they can do without. The restriction is set to become even tougher, and soon only apps for calling and texting will be allowed to ask for these permissions. For now, however, the rule has a fairly long list of exceptions.

Developers were given until March 9 to bring their products in line with Google’s amended policy. We examine why the new requirement is a double-edged sword.

Excessively user-data-hungry apps

That Android apps often want more rights than they need for normal operation is not hard to verify: Glance at the list of permissions that they request during installation. Why, for example, does the AliExpress online store need to record audio? Or look at your call log?

Some apps request too many permissions

Example of an app requesting more permissions than it needs

Even major brands abuse permissions sometimes, and it should come as no surprise that apps from little-known or totally unknown publishers are even worse. Some of them could well be malicious and use access to calls and SMS messages to steal data and money. For example, malware that can send and receive SMS all by itself will have no trouble signing you up for some paid service or intercepting a message from a bank with a one-time-use code.

Google Play bets on security

Google says that the objective of these restrictions is to protect user privacy. The logic is simple: Bona fide developers prefer to give up unnecessary permissions than be barred from a software marketplace used by hundreds of millions of people. Meanwhile, malicious SMS interceptors and call spyware have nowhere to go but out. Great news all around, don’t you think? Unfortunately, life is not that simple.

What can go wrong: The exceptions that disprove the rule

In reality, a lot of apps need access to calls and SMS messaging to implement many useful functions, such as account verification, backup, syncing calls and messages across devices, blocking spam, and more.

So as not to hurt legitimate developers and deprive users of useful tools, the current Google Play policy provides for exceptions allowing these coveted permissions to be requested from users in such cases. The flip side is that cybercriminals can also circumvent the ban by integrating one of the allowed functions into their apps. So it is unlikely that Google Play will succeed in banishing all apps that snoop on calls and SMS messages: malicious flashlight apps will simply be replaced by malicious spam call blockers.

What else can go wrong? More than just malware will be ejected

Another potential problem: Google Play will show the door not only to suspicious apps, but to bona fide and useful ones, too. Most developers have probably revised the list of requested permissions without too much ado. But there may be some that for whatever reason could not or chose not to, preferring instead to walk away. It has happened before. The authors of the insanely popular Fortnite, for example, were unhappy with Google Play’s conditions, and decided to do without.

The departure of legitimate developers is not good news for users. First, apps absent from the official Google store will likely be sought elsewhere, increasing the chances of users ending up with a fake. Second, most developers that do not pass the new Google Play filter will move to sites with lower security requirements. Fans of their apps are sure to follow them, which means that the audience of such sites will increase. Good news for cybercriminals, either way.

How to survive the wind of change

Google Play’s new rule is set to upset the power dynamic in the mobile apps market, and it means that Android users will need to be especially vigilant in the near future.

  • First, never download apps from suspicious sources. If an app is not on Google Play, do not download it from the first site that crops up in the search results. Find the official developer’s website and download it from there.
  • Install software developed by reputable companies only. And before doing so, make sure that the app you’re after actually exists for Android.
  • Check what permissions the app wants, and do not give it extra rights, even if you are sure it is not malware. We already discussed app permission settings in Android 6 and 7 and Android 8 and higher.
  • Be sure to protect your system with a good antivirus solution such as Kaspersky Security Cloud. Its nose for malware is far more sensitive than yours.