Because grandmas all over the world are getting swindled by scam apps.
Look, I can't locally install a web extension I wrote on an open-source Firefox browser, because security. I have to install a Developer Edition, or get the extension reviewed and signed by Mozilla, for the very same reasons of thwarting scammers. Is this stifling, or is it making my browser not mine? Is anybody making a big deal out of that?
The world we inhabit is not always friendly. It has a ton of determined and sophisticated bad actors, and a lot of people with less technical savvy than you and me. We have to deal with that, instead of being cantankerous.
It's not obvious to me that this will help much with scamming. Especially when it affects safer app repositories like F-droid more than the cesspit that is the official Play store.
Play Store being a cesspit is indeed a problem! But it still is making a constant effort to drive away scammers, so scams don't last too long there. Scammers show sleek-looking web pages offering to install an "official app" from their own apk. Or they have an app that clandestinely sideloads another app. This is being curbed.
But it's limited to a one-time action, not encumbered by additional papers or payment. I don't foresee any trouble using F-Droid (which I use a lot) after I have dismissed the scary screens and confirmed that I know what I'm doing.
>It's not obvious to me that this will help much with scamming.
Because as a reader to this forum, you're probably more tech savvy that the average person. Moreover this type of scam seems to be more common in Asia than the West, see:
They convince users to download a "government app", grant it accessibility permissions, then use that to take over their phone and drain their bank accounts.
>Especially when it affects safer app repositories like F-droid more than the cesspit that is the official Play store.
Where do you draw the line? If you whitelist f-droid, do you have to whitelist third party f-droid repos too? What about other app "stores" like obtanium? Moreover f-droid being less of a "cesspool" is likely because its reach is smaller, not because it has better moderation.
I'm aware of the way the scams work. I'm also aware that scammers tend to be much more motivated to jump through hoops that are put in front them (more so than legitimate users!). Scammers can also talk people through many, many warning signs.
Scammers cannot talk people past a 24 hour wait. This attack is built upon pressure and operates at a scale that makes stealing many identies, building different-enough apps to avoid getting flagged by Google and signing them all non-viable.
And most Android banking malware is distributed through unsafe sideload installs (as opposed to much safer Gatekeeper-style installs, which is what is coming) and are fed to victims through complex attacks involving obtaining a victim's personal information and calling them while credibly pretending to be a local authority or a bank representative. You can read about this wherever you get news about cyber crime.
This is a scourge in South East Asia and Google can do some good here. The only cost is whining from non-technical people. Everyone else will go pay $25 or whatever and sign their app.
Because grandmas all over the world are getting swindled by scam apps.
Look, I can't locally install a web extension I wrote on an open-source Firefox browser, because security. I have to install a Developer Edition, or get the extension reviewed and signed by Mozilla, for the very same reasons of thwarting scammers. Is this stifling, or is it making my browser not mine? Is anybody making a big deal out of that?
The world we inhabit is not always friendly. It has a ton of determined and sophisticated bad actors, and a lot of people with less technical savvy than you and me. We have to deal with that, instead of being cantankerous.
It's not obvious to me that this will help much with scamming. Especially when it affects safer app repositories like F-droid more than the cesspit that is the official Play store.
Play Store being a cesspit is indeed a problem! But it still is making a constant effort to drive away scammers, so scams don't last too long there. Scammers show sleek-looking web pages offering to install an "official app" from their own apk. Or they have an app that clandestinely sideloads another app. This is being curbed.
But it's limited to a one-time action, not encumbered by additional papers or payment. I don't foresee any trouble using F-Droid (which I use a lot) after I have dismissed the scary screens and confirmed that I know what I'm doing.
>It's not obvious to me that this will help much with scamming.
Because as a reader to this forum, you're probably more tech savvy that the average person. Moreover this type of scam seems to be more common in Asia than the West, see:
https://cdn.economistdatateam.com/videos/cyber-scams/fake-vi...
https://www.economist.com/interactive/asia/2026/04/10/scam-i...
They convince users to download a "government app", grant it accessibility permissions, then use that to take over their phone and drain their bank accounts.
>Especially when it affects safer app repositories like F-droid more than the cesspit that is the official Play store.
Where do you draw the line? If you whitelist f-droid, do you have to whitelist third party f-droid repos too? What about other app "stores" like obtanium? Moreover f-droid being less of a "cesspool" is likely because its reach is smaller, not because it has better moderation.
I'm aware of the way the scams work. I'm also aware that scammers tend to be much more motivated to jump through hoops that are put in front them (more so than legitimate users!). Scammers can also talk people through many, many warning signs.
Scammers cannot talk people past a 24 hour wait. This attack is built upon pressure and operates at a scale that makes stealing many identies, building different-enough apps to avoid getting flagged by Google and signing them all non-viable.
>Scammers cannot talk people past a 24 hour wait.
Oh yeah, I forgot they're bound to some code of rules they follow. Scammers, of all people.
[flagged]
Please follow the site guidelines regarding (avoiding) personal attacks.
I can think of plenty of scams that take days in the making. Even the classic "redeem" ones have people hooked in the thing for like a week ...
F-Droid is not a safer app repository:
https://privsec.dev/posts/android/f-droid-security-issues/
And most Android banking malware is distributed through unsafe sideload installs (as opposed to much safer Gatekeeper-style installs, which is what is coming) and are fed to victims through complex attacks involving obtaining a victim's personal information and calling them while credibly pretending to be a local authority or a bank representative. You can read about this wherever you get news about cyber crime.
This is a scourge in South East Asia and Google can do some good here. The only cost is whining from non-technical people. Everyone else will go pay $25 or whatever and sign their app.
[dead]