Google appears to be working on a new feature for Android that aims to automatically detect deceptive apps to enhance protection against phishing attacks. The feature, discovered in the Android 14 QPR2 Beta 2 release, can be found under Settings → Security & privacy → More security & privacy with the label "scanning for deceptive apps." When enabled, this feature will check app activity for phishing or other deceptive behavior by scanning the app for specific signs. Google mentions that the scanning occurs privately on the device, and if deceptive behavior is detected, some app information is sent to Google Play Protect to confirm the threat and warn users.
The specifics of how Android will identify deceptive apps are not yet detailed, and Google has not officially announced or provided documentation for this feature. A glance at the decompiled source code of Android 14 QPR2 reveals a new system service named "ContentProtection," which seems to identify when an app attempts to display a password field or requests user-related information. The system checks for common password-related strings and terms like "password," "user," "mail," "phone," and more. The system also employs a blocklist to exclude certain apps from this mechanism and checks whether an app is a system app or requests the Internet permission.
This upcoming anti-phishing measure is part of Google's efforts to implement real-time security features through Google Play Protect. As malware tactics continually evolve, the effectiveness of Android's built-in feature remains to be seen. Nonetheless, any feature that enhances security is a positive development, and it is expected to provide additional protection against users falling victim to phishing attempts.