Google has launched a new initiative to curb monetary scams while not permitting such sideloading of selected applications in Singapore. This tries to bar applications that abuse Android permissions by reading one-time passwords received through SMS and notifications.

According to Google, the attackers utilize four categories of permissions to carry out financial fraud. The company's survey also revealed that most of the fraudster apps are installed sideloaded-also referred to as installing onto the device manually, not through the Play Store.

These permissions are abused especially by fraudsters who intercept one-time passwords through SMS or other types of notifications while spying on-screen content. In fact, our analysis of the major fraud malware families that abuse such sensitive runtime permissions found that over 95 percent of installations were rooted in Internet-sideloading sources," the company blog noted.

The search giant said when a user in Singapore tries to install any such app, Google will automatically block the attempt with a message pop-up that reads: "This app can request access to sensitive data. This can increase the risk of identity theft or financial fraud."

Google has developed this pilot in collaboration with the Cyber Security Agency of Singapore (CSA) as part of its Play Protect program.

Last fall, the company announced a real-time scanning protection feature-by the first rollouts were in India-that prevents people from installing malicious apps sideloaded from outside. In November, TechCrunch carried out a test with more than 30 different malicious apps. And while Google's protection feature blocked most of them, some predatory loan apps were installed.
 Android's new real-time app scanning: The quest to eradicate malicious sideloaded apps

“With this recent enhancement, we’re adding real-time scanning at the code-level to Google Play Protect to combat novel malicious apps, regardless of if the app was downloaded from Google Play or elsewhere,” said Google spokesperson Scott Westover in an email to TechCrunch at that time. “These capabilities will continue to evolve and improve over time, as Google Play Protect collects and analyzes new types of threats facing the Android ecosystem.”

Since then, Google has scaled the real-time scanning feature to new territories such as Thailand, Singapore, and Brazil.
In its latest announcement, the search company has notified the developers that their applications should not indulge in Mobile Unwanted Software violations and are expected to abide by the guidelines. The company claims it is open to expanding the pilot program in other countries.

We are constantly strengthening our defenses for the safety of Android users around the world. Working with CSA, we will closely monitor the pilot program outcomes and adapt effectiveness and improvement needs. If this is something that maintains interest globally and, more importantly, the needs around user protection, we'd be happy to roll out the pilot to other countries in the future. According to Eugene Liderman, director of Android Security Strategy at Google when speaking to TechCrunch.

Google has had to deal with fraudulent loan apps in geographies such as India and Africa. In India, Google is under attack since predatory loan apps and their representatives have harassed people for repaying them, pushing several to commit suicide.
In India, Predatory loan apps collect large amounts and drive some users to kill themselves. 

Last year, Google launched a new policy that does not allow accessing loan application from user's pictures and contact information.