Comment by Taterr
8 hours ago
I understand usually the megacorporation is simply being anti-consumer with these kinds of changes, and who knows maybe this is the same. But I think this might be an actual exception. They seem to be actually implementing a lot of high effort scam protection features recently in android so unless they did all of that just as an excuse to make side loading harder then they've fooled me.
https://security.googleblog.com/2026/02/strengthening-androi... https://blog.google/innovation-and-ai/technology/safety-secu...
For more context, the the "reason" they're increasing the friction in sideloading is to prevent one extremely specific scam where someone instructs you over the phone to download a malicious android app, which then steals your banks 2 factor verification code from your notifications and sends it to the scammers. The 24 hour limitation does seem specifically designed to prevent that so I'm inclined to believe them.
You don't need to side load a specific app with malware. All you do is tell the person to go to the Google Play Store and install any Anydesk. Heck, even the reviews for that app point out that people that are scamming you often tell you to install it. Kelly Walters' review from '23 has 215,000 upvotes for warning people about this.
> They seem to be actually implementing a lot of high effort scam protection features recently in android
This all happened recently because a court case was recently decided that broke Google's monopoly on play store money flows (Google must now allow alternate play stores). These recent changes are simply to try to prop up as much of their play store profit center as they can by restricting what you can do with the computer you purchased.
Do you also believe mass surveillance is necessary to protect children?
No. Their stated implementations should be also privacy preserving as they are using on-device LLM models. Not sending your calls or texts to a datacenter.
That's some nasty debate tactic, unworthy of this website. Don't do that.
It's pretty easy to make up a reasonable sounding excuse for something you do for your own profit as a company. If they don't even provide any statistic on how frequent these scams are, it can be just words
Also, if your bank 2fa code is in your notifications, you should switch 2fa methods to something other than sms, or switch banks.
So we should just accept that all apps must treat android notifications as a compromised communication channel?
The scammers will find some other way to abuse the very generous permissions allowed by an android app if you prevent the notification attack.
> So we should just accept that all apps must treat android notifications as a compromised communication channel?
Look, that's an OS issue, not an app distribution issue. If I could use the trusted, vetted software from F-Droid I wouldn't need to worry about this sort of attack.
I wouldn't be surprised if the people at google implementing this genuinely believe this to be the case. It was the same thing with AMP, the people doing it really seemed to believe it was entirely a good thing and there were no negative consequences whatsoever. But it doesn't really matter when the thing also blatantly concentrates power within themselves that can later be used to their own interests.
(Here's another reason it's a bad idea: scammers tend to be very good at navigating the roadblocks you put in to do a thing, often moreso than the people who legitimately want to do the thing, so I wouldn't be surprised if the scammers still have a healthy supply of malicious apps now signed by google. If they can't keep malware off of the play store where they see the malicious code, why do they think they can stop scammers registering as developers to sign their malware?)
There will always be scammers who through human engineering get people to transfer money or hand over their jewellery.
(My bank doesn't use SMS by the way everything goes through the official app with biometrics).