This real-time surveillance technique has fuelled a surge in global financial fraud, prompting Google to roll out a major security upgrade to its Android devices.

The tech titan has also outlined how it is changing access to YouTube to comply with the Albanese government’s world first social media ban for children aged under 16 – legislation it said was “rushed” and would make “kids less safe”.

Google’s new defence, an enhancement to the company’s Play Protect system, is designed to automatically block malicious “spy apps” before they can be installed.

It aims to automatically block the installation of apps downloaded from unverified sources – such as web links or messaging services – if they are found to be seeking permissions commonly exploited for financial fraud.

Google Australia government affairs and public policy manager Rebecca Turner said scams were becoming “more personalised and more technologically advanced”.

“Australia cannot afford to be complacent. Criminals are moving fast and exploiting any gap they can find,” Ms Turner said.

“We need to match that pace with modern measures such as layered security, on-device protections and verified identities.”

The core threat stems from a technique known as “side-loading”, where scammers trick users, including “increasingly vulnerable seniors”, into installing harmful software from unofficial stores. The malicious apps often pose as legitimate tools but seek deep access to the device.

“Basically, something that we’ve noticed in Australia and globally as well is that, unfortunately, scammers are starting to use the side loading of apps,” Ms Turner said.

“That is essentially downloading through a link … a scam app that is actually there to either be a malware scam or remote access scam.”

The enhanced Play Protect feature is designed to neutralise this threat by analysing app permissions in real-time, looking specifically for dangerous requests that enable deep surveillance. The technology will spot requests that could be used to “steal a one-time password or potentially to spy on your screen”, Ms Turner said, and will “alert users and also prevent the installation of these harmful apps”.

If people are still unsure that a text message, email or online advertisement is a scam, Google has also introduced a “Circle to Search” tool. This involves circling the suspicious content and Google’s AI technology will say whether it is malicious or not.

“The ability to use Circle to Search to spot scams will help more Australians be able to identify scams before it’s too late. This is just one of the many AI-powered tools that will help Australians learn and identify the warning signs of a scam and stay safe online. As texting becomes the go-to way to communicate, it’s essential that businesses and consumers feel confident messaging one another and this tool helps make that possible,” Ms Turner said.

This focus on side-loading addresses one of the most critical vulnerabilities in the Android ecosystem, where malicious actors exploit user trust to gain remote access or intercept crucial, multi-factor authentication codes. For Google, this prevention layer is “really, really fundamental and important” for keeping vulnerable areas of the community safe.

The security upgrade is part of a multi-layered defence strategy. In the past year, Google globally removed 205.7 million ads and suspended over 841,000 accounts for various violations, including misrepresentation and network abuse. Ms Turner said that 98 per cent of ads seen in Australia this year on Google’s platforms were from ID-verified advertisers, a measure making it “harder for scammers to hide who they are”.

But Ms Turner said “technology alone isn’t enough” and stressed the need for a joint effort across government, industry, and the community to stay ahead of the escalating global threat.

Google’s new security initiatives are running parallel to its efforts to comply with new, stringent Australian regulations. It is concurrently preparing for significant operational changes to its YouTube platform mandated by the federal government’s underage social media ban, which is set to take effect on December 10. The law will require all YouTube viewers to be 16 or older to sign into the service.

Google described the legislation as “disappointing”, in a blog post, arguing that the policy was “rushed” and “misunderstood the platform”. The company warned the changes could ultimately “make Australian kids less safe on YouTube”.

Under the new compliance rules, viewers under 16 will be automatically signed out of YouTube on the effective date and will lose access to account-dependent features, including subscriptions, playlists, and user-defined wellbeing settings such as “Take a Break” reminders. Google said that parents will also lose the ability to supervise their children’s accounts, eliminating controls like content-setting choices and channel blocking.

Originally published as Google tackles stealth cybercrime wave targeting bank details on your phone