Google is on a mission to narrow the gap between Android and iPhone, nowhere more so than with your security and privacy. Over the last year this campaign has reached new heights, with a cull of higher-risk Play Store apps, the promise of live threat detection, and a raft of new features dropping with Android 15. But Google’s latest update is a surprise and will leave users and their phones at serious risk.
The new clampdown on sideloading has been a key part of this new approach, with Google warning that installing apps from outside its Play Store is responsible for the majority of dangerous malware on the platform, and as a result making it more difficult to do. Play Protect, Android’s core defense to prevent known malware from installing on devices, now works across both Play Store and other installs.
The problem, though, is that sometimes Play Protect incorrectly flags sideloaded apps as being high-risk when they’re not. As such, users disable Play Protect to allow the app onto their phone. Given this is the last line of defense guarding your phone, and that socially engineered lures can trick users into installing all kinds of dangerous apps, this is definitely not something you should do. It’s made worse, because once you disable Play Protect you might forget to re-enable it, leaving your phone exposed.
As one of Google’s own security execs warned just a few weeks ago, “Google and the security community have warned users for years about the real risks associated with downloading apps directly from the web,” accusing Epic Games of a “dangerous move” when it sought to force Google to open up Play Store. The company has also reported that 95% of “malicious apps” come from sideloading.
But now, as discovered by Android Authority, “an APK investigation of the Play Store app version 43.4.23-31 has revealed that Google is working on a feature that will allow users to temporarily pause Play Protect instead of disabling it altogether… When available, users will be able to pause Play Protect for a day, and the security tool will automatically switch on the next day… The prompt also warns that “requests to pause or turn off play protect may be a scam.”
That last point is critical—an acknowledgement of the risks in taking this step, just as we saw last month with a change to prevent Play Protect from being disabled while on a call, to mitigate the risk that a scammer talks a victim into exposing their phone. Instead of this change, Google should make it harder—much harder—to disable Play Protect at all, and if needed it should be for minutes not the rest of a day.
Google can’t really have it both ways—either Play Protect is critical or it isn’t. It’s the default response from Google when new malware strikes, telling users to make sure it’s enabled. That protection falls away if it’s seen as the norm to disable it when an app can’t get through. How then does a user know what is dangerous and what isn’t.
And so I think this latest update—assuming it makes its way onto phones as expected—is a big mistake, it will provide everyday users with a setting that seems legitimate and normalized, rather than the more drastic step of disabling protection. It’s also a major surprise, given the recent changes in the other direction. It will prompt scammers to talk users through using this to facilitate malware installs. It would be much better to hold a firm line on the need to keep Play Protect enabled and to further hamper direct installs or the use of insecure third-party stores.
There are plenty of reasons to introduce competition into app stores, as seen with recent regulatory pushes. But those stores should be secured, and Play Protect and the live threat detection should be always-on. If Android really is to catch iPhone, then it needs to be bolder in what’s allowed and what isn’t—as Samsung has shown with its default to maximum restrictions.