Android 17 to expand banking scam call and privacy protections
by Bill Toulas · BleepingComputerAndroid 17, expected to roll out next month, will introduce several security and privacy features focused on device theft, threat detection, and banking scam calls.
Google will be expanding protections against scammers spoofing caller IDs to impersonate financial institutions and trick users into transferring money or revealing account-related information.
Android will work with banking apps to detect spoofed calls and automatically terminate the connection when a scam is identified.
Source: Google
The call's authenticity verification occurs via app-level queries and by comparing the calling number to an internal set provided by the banks, and is not used for customer communication.
The initial rollout will cover the massively popular digital banking and payments app Revolut, the large Brazilian retail and commercial bank Itaú Unibanco, and the Latin American digital bank Nubank.
Although the feature will be introduced in Android 17, Google promises to make it available on Android 11 and later.
Android’s Live Threat Detection - an anti-stalkerware capability that leverages Play Protect to analyze app behavior and assess potential risk - is being expanded to detect additional abuse techniques, including SMS forwarding misuse, concealed accessibility overlays, apps that hide or alter their icons, and malicious background launches.
Source: Google
The Advanced Protection device-level security, available since Android 16, will also be expanded, now restricting accessibility service access to apps explicitly labeled as accessibility tools, disabling device-to-device unlocking, disabling Chrome WebGPU support, and adding scam detection for chat notifications.
To increase protection against device theft, Google's "Mark as lost" feature in Android 17 will allow locking a phone with biometric authentication, as an extra option to device passcode or a PIN.
As such, thieves will not be able to disable device tracking or access it again if you mark it as lost, even if they have the passcode/PIN to unlock it.
Once the device is marked as lost, the Quick Settings menu will become unavailable, and WiFi and Bluetooth connections will be disabled.
Google says that in select markets, including Argentina, Chile, Colombia, Mexico, and the United Kingdom, the device theft protection feature will be available on smartphones running Android 10 or later.
Additional notable improvements related to privacy and security include:
- Chrome for Android will scan downloaded APKs for known malware before installation.
- “Mark as lost” will require biometrics to unlock devices, hide Quick Settings, and block new Wi-Fi and Bluetooth connections. Remote Lock and Theft Detection Lock will also become enabled by default on Android 17 devices and some Android 10+ devices in select markets.
- Android 17 will reduce PIN/password-guessing attempts and increase the delay between failed unlock attempts.
- Android 12+ devices will allow viewing the lock-screen IMEI for ownership verification and recovery.
- Android 17 adds temporary precise-location sharing, improved location access indicators/history, and a new contact picker for temporary access to specific contacts only.
- Android 17 introduces AISeal with pKVM for hardware-backed isolation of AI-related data processing.
- Pixel devices will initially gain verification for official Android builds, backed by a public ledger for authentic Google apps and GMS APIs.
- Android will hide SMS one-time passwords from most apps for three hours to block OTP theft.
- Carriers will be able to ship devices with 2G disabled by default in regions where legacy networks are retired.
- Android is adding post-quantum cryptography protections for future-proof security.
Some of these features, like OS verification, are launching on Pixel devices first or are limited to newer models, while others might be open to OEM adoption, so rollout timelines may vary widely across the Android ecosystem.
99% of What Mythos Found Is Still Unpatched.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.