Android security update adds preventative user blocks.<\/p>\n
SOPA Images\/LightRocket via Getty Images<\/p>\n
Update, May 16, 2025: This story, originally published May 14, has been updated with news of more security features that have either arrived or are coming real soon now as part of Android 16, as announced in Google\u2019s latest Android update and beyond, including new Advanced Protection Program additions and SMS authentication code automation. <\/p>\n
Usually, when an update stops you from doing things, it\u2019s hardly a cause for celebration. Sometimes, however, it really should be, and Google has just confirmed that with a new Android update that is simultaneously restrictive and freeing. We\u2019ve seen this before with the news that Android smartphones will soon start automatically replacing passwords with passkeys<\/a>, for example. Now, Google has announced a trio of new features for Android smartphones that, while restricting certain activities, will also enhance user security and privacy. Here\u2019s what you need to know.<\/p>\n ForbesCISA Issues Critical Chrome 0-Day Alert: Don\u2019t Wait To UpdateBy Davey Winder<\/a><\/p>\n Don\u2019t Hate This New Android Update, Learn To Love The Restrictions<\/p>\n Anyone who knows me will happily agree that I really don\u2019t like being told what to do, so why am I rather pleased that Google has confirmed a new Android update that imposes restrictions on smartphone users whether they like it or not? Because, dear reader, I\u2019m a security geek, and sometimes the best preventative medicine is the one you\u2019re told to take. Or, as in the latest Android security update, the three not so bitter to swallow attack mitigation pills.<\/p>\n A May 13 announcement from Dave Kleidermacher, Google\u2019s vice president of engineering for Android security and privacy, has confirmed that new in-call security protections<\/a> have been added to the smartphone user armory. These restrictive measures come by way of response to the fact that Google\u2019s own research, Kleidermacher said, showed that threat actors love to persuade victims into performing certain risky actions during a conversation. Actions such as changing default security settings or granting new app permissions, for example. \u201cThese actions can result in spying, fraud, and other abuse by giving an attacker deeper access to your device and data,\u201d Kleidermacher warned. Advising that the new security measures are entirely executed on your smartphone device, and then only where a conversation is with someone not already in your existing contacts, Kleidermacher confirmed that Google is \u201cworking to block specific actions and warn you of these sophisticated attempts.\u201d<\/p>\n ForbesGoogle\u2019s Android Update \u2014 Passwords Automatically Become PasskeysBy Davey Winder<\/a> Announcing Android\u2019s new protections, Google confirmed the three user actions that would now be prevented during a call: disabling Google Play Protect, sideloading an app, changing app accessibility permission and<\/p>\n Google\u2019s Play Protect<\/a> is activated by default, and for good reason: it is continually scanning for malicious app behavior and protecting the user from the consequences. Being persuaded to disable this protection during a call is almost certainly a sign of an attack in progress. Preventing you from being able to do so, therefore, is a good thing.<\/p>\n If you side-load an app, meaning that it is from somewhere other than an official Google download store, it leaves you open to installing malware as the app may not have been properly vetted for security issues. The new protections prevent users from sideloading any new app from a web browser, messaging app or any source, during a call.<\/p>\n And finally, if you are persuaded to grant accessibility permissions that you otherwise wouldn\u2019t need, this is a massive red flag from the security and privacy perspectives. Doing so can provide an attacker with access to \u201cgain control over the user\u2019s device and steal sensitive or private data, like banking information,\u201d Kleidermacher warned.<\/p>\n There is a fourth aspect to this Android update, but I\u2019ve not included it in the magic number of three as it\u2019s a prompt rather than a straight restriction. This is when you are using screen sharing during a call, Android will now prompt you to stop sharing when the call ends to prevent an attacker from attempting to gain access to data.<\/p>\n ForbesNew Android Chrome Attack Warnings Confirmed By GoogleBy Davey Winder<\/a> As reported by a well-respected tipster, Android users could soon see a major update to how two-factor authentication codes are handled when sent by SMS to their smartphones. Let\u2019s get the security elephant in the story out of the way first: don\u2019t use SMS if you have any alternative available. Equally, of course, do use SMS if you don\u2019t, as any 2FA is better than none. SMS remains, however, the weak link when it comes to the delivery of verification codes as it is a much less secure method compared to the use of an authentication code application, push verification in-app or, best of all, using a passkey. OK, all that said, back to the SMS automated code news. Android code guru Leopeva64<\/a> spotted Canary beta code that suggests \u201cChrome for Android could soon detect and extract verification codes sent via SMS and automatically fill them in, eliminating the need to manually copy and paste them.\u201d This doesn\u2019t fill me with excitement, truth be told, as it adds little to the security of the SMS code method beyond preventing someone copying the clipboard where you have had to cut and paste before to achieve the same result with the website concerned. SMS remains insecure, weak, and unrecommended.<\/p>\n Far more exciting, if you ask this cybersecurity nerd anyway, is the Google confirmation of the piloting of new and enhanced protections for banking apps during calls. Although not available for everyone quite just yet, Kleidermacher announced that Google is piloting new in-call features to protect banking app starting in the U.K. \u201cScreen sharing scams are becoming quite common, with fraudsters often impersonating banks, government agencies, and other trusted institutions,\u201d Kleidermacher explained, \u201cusing screen sharing to guide users to perform costly actions such as mobile banking transfers.\u201d This is where the protections will kick in for those chosen to pilot the functionality, based on the banking apps that are participating in the initial pilot program. This means U.K. users of Monzo, NatWest and Revolut, with Android users of those banks automatically being enrolled in the coming weeks. \u201cWhen you launch a participating banking app while screen sharing with an unknown contact,\u201d Kleidermacher said, \u201cyour Android device will warn you about the potential dangers and give you the option to end the call and to stop screen sharing with one tap.\u201d You will need to be using Android 11 or later, and it only kicks in when you are on a phone call with an unknown contact.<\/p>\n The recent launch of real-time scam detection<\/a> in Google Messages was something I covered at the time, but now Google says it is making these protections more intelligent. The aim of scam detection is essentially what it says on the tin: to protect users from conversational scams with malicious intent. That means any of those phishing and fraud messages you might get by way of Google Messages or Phone by Google. The protection kicks in when it determines the conversation to be suspicious, based on context learned from analyzing thousands upon thousands of such attacks, and issues a real-time warning to end the chat before you can be conned. All of this is achieved, Google said, on-device so all your conversations remain 100% private and you can disable it at any time to ensure you maintain full control. \u201cWe\u2019ve now expanded our detections to help protect you from a wider variety of sophisticated scams,\u201d Kleidermacher confirmed.<\/p>\n These include the following:<\/p>\n ForbesWindows 11 Hacked \u2014 Three New Zero-Days Deployed By Pwn2Own EliteBy Davey Winder<\/a> As regular Forbes readers will be only too aware of by now, I am both an enthusiastic supporter and a highly satisfied user of Google\u2019s advanced protection program<\/a> which can prevent any number of Gmail account takeover attacks from succeeding.<\/p>\n The latest Android update announcement has some good news from Google regarding the advanced protection program for Android users. Confirming that the APP \u201cprovides Google\u2019s strongest protections against targeted attacks,\u201d Kleidermacher went on to announce that, for Android 16 users at least, this advanced protection is being extended to include device-level security. Kleidermacher\u2019s confirmation was, truth be told, but a tease; the real detail was to be found in another announcement, this time by Google\u2019s Android security group product manager, Il-Sung Lee.<\/p>\n \u201cAdvanced Protection ensures all of Android\u2019s highest security features are enabled and are seamlessly working together to safeguard you against online attacks, harmful apps, and data risks,\u201d Lee said<\/a>, adding that for Android 16 users, it will combine new features with pre-existing ones. If advanced protection is activated, Lee said, then Android 16 users will gain immediate access to:<\/p>\n More broadly, the Advanced Protection Program restricts the data that apps can access, blocking most non-Google apps and services from accessing Google account data from Drive or Gmail, for example. \u201cIf anyone tries to recover your account,\u201d Google said, \u201cAdvanced Protection takes extra steps to verify your identity.\u201d This means that it can take a few days to verify that you are who you say you are and get access to your Google account back, but it\u2019s a small price to pay for peace of mind against the hacking threat.<\/p>\n \u201cAdvanced Protection gives users the option to equip their devices with Android\u2019s most effective security features for proactive defense,\u201d Lee said, \u201cwith a user-friendly and low-friction experience.\u201d Not least, it means that the Android user is protected from the accidental or malicious disabling of APP security features using a defense-in-depth paradigm. \u201cAdvanced Protection acts as a single control point that enables important security settings across many of your favorite Google apps,\u201d Lee concluded, \u201cincluding Chrome, Google Message, and Phone by Google.\u201d This is one Android update that we can all, surely, get behind.<\/p>\n
\nThe Risky Smartphone Call Actions This Android Update Puts The Kibosh On<\/p>\n
\nMore Android Update Security-Related News You Need To Know<\/p>\n\n
\nAndroid Update Brings New Advanced Protection Program Features To Android 16<\/p>\n\n