None of the comments here seem to discuss or even mention how this situation looks from googles perspective? I feel like HN readers are not aware of the scale of the problem they face or their motivation behind these changes.
If you look at the rate of growth of the call/text scam industry I think it's entirely possible that android owners are getting scammed out of more money than google themselves makes on the android platform as a whole. It's at least not that far off. Which doesn't even account for the humanitarian issues which they probably feel partially responsible for.
Because we hear so many stories where the scammer directed their target to install an app so that their scam works
I know a lot more people that install newpipe than people that got scammed by any means, and have never heard of anyone being asked to install an app by a scammer
But I was scammed by newpipe! It said I can watch YouTube, but there aren't any ads! Now I don't know what to buy. It even had CCC Media, so now my videos are informative and insightful. Where's my influencers?!
Google's perspective is that they want full control on Android.
If they really care about scams, the first result when I search for chatgpt is a fake app with a fake logo. Maybe they should start by tackling the scams on the play store as the play store is the far west.
I don't find the assertion credible that people are getting scammed out of more money than the entire platform is worth. But given that Google does not make the revenue for Android public, what kind of numbers do you think you're talking about here?
Also, I think it's disingenuous to say that scams are predominantly powered by sideloading. I think the vast majority of the scams that are perpetrated use apps directly from the Play Store.
They've been claiming since 2023 that sideloading has been a favored attack vector.
"The Global Scam Report also found that scams were most often initiated by sending scam links via various messaging platforms to get users to install malicious apps and very often paired with a phone call posing to be from a valid entity."
Googles total revenue in 2025 was about $400 billion across their entire company. It's hard to estimate how much money scammers steal in general but if you take an estimate[1] that each of the 300,000 forced laborers generates $300-400/day then you end up at a figure of 40 billion in scams, and considering android has most of the market in the regions the scammers target you can be pretty sure those are android owners being scammed through android devices.
They're also growing rapidly, so those numbers might already be double in 2026
These numbers aren't credible. Total credit card fraud globally is projected to reach $43 billion in 2026. You're arguing that fraud on Android alone is equivalent to that. Doesn't smell right.
Their solution to every problem is to take away more control of the smartphones each time from the users who own them. Meanwhile, I have much less problems with scam and security issues and more freedom with software off FDroid. Makes you wonder if the actual problem is perhaps the one coming up with these solutions and their malevolent intentions behind a thin veil of laughable PR. Besides, I don't get people's habit of justifying trillion dollar corporations that can't seem to come up with any non-dystopian solutions.
Why does nobody ever think of the poor megacorporation?
I mean maybe you're even right and they care a little bit about people being scammed. But if you believe that the scamming thing is any more than a pretense for further establishing Google's absolute control over the Android ecosystem, that is just very naive.
Their goal is to make money. Apps installed outside of Google mean less money for them. Ergo, consumer's right to install what they want on their devices must go.
I understand usually the megacorporation is simply being anti-consumer with these kinds of changes, and who knows maybe this is the same. But I think this might be an actual exception. They seem to be actually implementing a lot of high effort scam protection features recently in android so unless they did all of that just as an excuse to make side loading harder then they've fooled me.
For more context, the the "reason" they're increasing the friction in sideloading is to prevent one extremely specific scam where someone instructs you over the phone to download a malicious android app, which then steals your banks 2 factor verification code from your notifications and sends it to the scammers. The 24 hour limitation does seem specifically designed to prevent that so I'm inclined to believe them.
You don't need to side load a specific app with malware. All you do is tell the person to go to the Google Play Store and install any Anydesk. Heck, even the reviews for that app point out that people that are scamming you often tell you to install it. Kelly Walters' review from '23 has 215,000 upvotes for warning people about this.
> They seem to be actually implementing a lot of high effort scam protection features recently in android
This all happened recently because a court case was recently decided that broke Google's monopoly on play store money flows (Google must now allow alternate play stores). These recent changes are simply to try to prop up as much of their play store profit center as they can by restricting what you can do with the computer you purchased.
It's pretty easy to make up a reasonable sounding excuse for something you do for your own profit as a company. If they don't even provide any statistic on how frequent these scams are, it can be just words
Also, if your bank 2fa code is in your notifications, you should switch 2fa methods to something other than sms, or switch banks.
> So we should just accept that all apps must treat android notifications as a compromised communication channel?
Look, that's an OS issue, not an app distribution issue. If I could use the trusted, vetted software from F-Droid I wouldn't need to worry about this sort of attack.
I wouldn't be surprised if the people at google implementing this genuinely believe this to be the case. It was the same thing with AMP, the people doing it really seemed to believe it was entirely a good thing and there were no negative consequences whatsoever. But it doesn't really matter when the thing also blatantly concentrates power within themselves that can later be used to their own interests.
(Here's another reason it's a bad idea: scammers tend to be very good at navigating the roadblocks you put in to do a thing, often moreso than the people who legitimately want to do the thing, so I wouldn't be surprised if the scammers still have a healthy supply of malicious apps now signed by google. If they can't keep malware off of the play store where they see the malicious code, why do they think they can stop scammers registering as developers to sign their malware?)
No. Their stated implementations should be also privacy preserving as they are using on-device LLM models. Not sending your calls or texts to a datacenter.
First we need to understand what the root cause of the problem really is then we can discuss solutions. All we've been told is that "Android users are getting scammed, we are going to make side loading impossible". There is no clear cause and effect established, no data shared with the public on what percent of scams were caused by sideloaded apps and how the scams actually operate for us to be able to accept the solution.
> no data shared with the public on what percent of scams were caused by sideloaded apps and how the scams actually operate for us to be able to accept the solution.
They will not share the data because the data goes against their public stance.
Apks are already very annoying to install for your average user. The scams will target the web, the playstore and then as a very last resort, direct installs
Look at the attack vectors that are actually being used, and address them specifically, with minimally invasive measures.
If the problem is apps that allow remote control of your device, that people can be socially engineered into installing, put up barriers to gaining just that permissions. That approach would actually help motivate the problem (as scammers can now just use Google-approved apps for such things).
If the problem is ads that are pushing scams, Google could start with eradicating them from their own network. They seem to be the primary source. And, god forbid, perhaps even offer an ad blocker integrated in Android. (Yeah, I know.)
If the problem is scammers pretending to be a friend or family member in need of help though social apps, Google could force these apps to help users identify these cases (using local privacy friendly heuristics is course) for inclusion in the Play Store. And no, they wouldn't be able to demand the same from apps installed from elsewhere, but that should be firmly outside of their sphere of responsibility. And casual users would be extremely like to stick with the default app store anyhow.
Note that all three of these proposals provide a measure of safety from the problems they are addressing much larger than what Google is attempting by banning all non-Google-authorized applications.
I am quite genuinely curious what you think the best solution to prevent someone instructing a tech illiterate person over the phone to click through every permission warning about a malicious app they're installing is? No amount of scary menus will work. I feel like they only have 2 options, which is to limit some permissions without any exceptions (making their platform more closed), or make it harder to install apps as a whole.
If there is literally "No amount of scary menus will work." then those people cannot use computers. So long as they can transfer money with it, or do another action that a scammer may want to do, then the scammer can tell them to do it. They should not be allowed to install banking apps with that logic and need a legal guardian to manage their digital belongings
If the solution is that nobody has control of their digital life anymore (see also attempts to require client-side scanning and verify user age, which don't work if said user can override it) then we've lost sight of the bigger picture
It's not clear at all that a scammer is on the phone, instructing people to click through every warning that they see while sideloading a malicious app. As I stated up thread, the majority of these scams are happening through apps in the Play Store.
To address your question, there should be a straightforward option during device setup. If you're first attaching your account to the device, you simply check a box that says this is an advanced user's phone. You can put it behind the same kind of scary pop-ups that web browsers have when they're about to serve you an HTTP page, or when the HTTPS certificate is self-signed.
It's the most obvious, straightforward, user-friendly approach, and it was never even discussed.
> the most obvious, straightforward, user-friendly approach, and it was never even discussed
Fwiw, it was "discussed" in the sense that the person we're arguing with meant upthread ("let's discuss a good solution instead of this boring repetitive outrage"), but it's not like Google listens to that so any such discussion is pointless anyway. It is indeed the obvious solution and it comes up in each of these threads, but believers like GP can always be new rationalizations of why Google doesn't implement one proposal or another
> It's not clear at all that a scammer is on the phone, instructing people to click through every warning that they see while sideloading a malicious app.
Google claims this to be a very common or majority attack vector.
"The Global Scam Report also found that scams were most often initiated by sending scam links via various messaging platforms to get users to install malicious apps and very often paired with a phone call posing to be from a valid entity."
> If you're first attaching your account to the device, you simply check a box that says this is an advanced user's phone.
I completely agree this is a perfectly valid solution but what about those who already setup their device? The security of the checkbox only works if you click it before someone attempts to scam you.
All they say is that the apps are malicious, though. The majority of malicious apps distributed on Android are through the Play Store. I really wish they would provide concrete details here because I just don't believe that this is all hinging on sideloading.
I think it's a problem where the only solutions are worse, on the whole, than the disease.
Probably the best option would be the ability to lock down your own device somehow (i.e. put the toggle in the opposite direction by default). This at least lets others around someone vulnerable to this protect them (and probably much more effectively, as the controls can be a lot tighter than 'we once saw an ID we believed was real')
If you look at the rate of growth of the call/text scam industry I think it's entirely possible that android owners are getting scammed out of more money than google themselves makes on the android platform as a whole. It's at least not that far off. Which doesn't even account for the humanitarian issues which they probably feel partially responsible for.