Full Report
Google is working on a new security feature for Android that blocks device owners from changing sensitive settings when a phone call is in progress. Specifically, the in-call anti-scammer protections include preventing users from turning on settings to install apps from unknown sources and granting accessibility access. The development was first reported by Android Authority. Users who attempt
Analysis Summary
# Best Practices: Anti-Social Engineering Defense via Mobile OS Controls
## Overview
These practices focus on mitigating Telephone-Oriented Attack Delivery (TOAD) and related scams where adversaries use phone calls to socially engineer users into granting sensitive permissions (like installing unknown apps or enabling accessibility services) on mobile devices. The core recommendation involves leveraging operating system features to introduce friction or outright block these actions during active calls.
## Key Recommendations
### Immediate Actions
1. **Review Current OS Security Status:** Immediately verify that all managed mobile devices are running the latest stable operating system versions available (e.g., Android 16 Beta 2 or later, where these protections are actively being tested/deployed).
2. **Educate Users on In-Call Security Warnings:** Inform users that system warnings related to granting sensitive permissions during calls are legitimate indicators of potential scams and should **never** be bypassed when interacting with unknown callers.
### Short-term Improvements (1-3 months)
1. **Enable OS-Level Anti-Scam Protections:** Ensure the new security feature (which blocks installations from unknown sources and accessibility service grants during calls) is enabled, assuming it moves from beta to general availability promptly.
2. **Restrict Sideloading by Default:** Configure mobile devices to strictly prohibit the installation of apps from unknown sources, making it a deliberate, high-friction process even when not on a call.
### Long-term Strategy (3+ months)
1. **Maintain Dynamic Restriction Policies:** Establish a long-term security governance process that monitors OS updates (like Android CDD updates) for newly restricted settings and applies these restrictions organization-wide via Mobile Device Management (MDM) solutions.
2. **Integrate Attack Delivery Context:** Develop security protocols that flag or scrutinize activity patterns occurring immediately after a phone call ends, as this is the likely follow-up window for a scammer to instruct the victim to proceed with the disabled action.
## Implementation Guidance
### For Small Organizations
- **Prioritize MDM Adoption:** If not already in place, implement a light-touch MDM/UEM solution that allows centralized enforcement of "Install Unknown Apps" settings to be disabled by default across all corporate and BYOD devices accessing sensitive data.
- **Manual Verification:** Train staff to manually verify that no sensitive settings changes are initiated if they were requested by someone they spoke to over the phone immediately prior.
### For Medium Organizations
- **Pilot New OS Features:** Actively participate in the beta/early release programs for new secure operating systems (like Android 16) to test friction measures before general rollout, developing internal SOPs based on the observed protections.
- **Targeted Training:** Conduct mandatory, periodic training focused specifically on TOAD attacks involving urgent requests discovered over the phone or SMS (smishing leading to calls).
### For Large Enterprises
- **Automate Policy Enforcement:** Utilize MDM/EMM platforms to enforce device compatibility (e.g., requiring minimum OS levels) and automatically push configuration profiles that lock down restricted settings categories mentioned in evolving Compatibility Definition Documents (CDD).
- **Integrate Threat Intelligence:** Subscribe to security feeds (like Google's public disclosures) tracking new social engineering tactics like TOAD to proactively adjust mobile configuration policies ahead of widespread exploitation.
## Configuration Examples
*Note: As the article describes a forthcoming OS feature, specific, universally applicable configuration commands were not provided. The following reflects the goal configuration.*
**Goal Configuration for Mobile OS Security (Conceptual Anti-Scam Setting):**
| Setting Category | Desired State (Default Blocked) | Condition for Override/Unlock | Rationale |
| :--- | :--- | :--- | :--- |
| Install Unknown Apps | Disabled System-Wide | Requires manual authentication and is **NOT PERMITTED** if an active phone call is detected. | Prevents immediate malware sideloading during social engineering pressure. |
| Accessibility Permissions | Revoked/Denied for newly installed apps | Requires manual authentication and is **NOT PERMITTED** if an active phone call is detected. | Prevents granting remote control or monitoring tools during a scam call. |
## Compliance Alignment
- **NIST SP 800-53 (AC-3, SC-8):** Directly supports System Integrity by restricting unauthorized configuration changes and enforcing secure default configurations.
- **CIS Controls v8 (Control 4: Banned Remote Access & Control):** By blocking accessibility services requests initiated during calls, this mitigates a common remote control vector often masked by social engineering.
- **ISO/IEC 27002 (A.13.2.1 - Information Transfer Policies):** By adding friction to permission changes, it limits unauthorized or coerced data access pathways.
## Common Pitfalls to Avoid
- **Falling Behind on Updates:** Failing to upgrade devices to OS versions that include these native protections leaves the organization vulnerable to the exact tactics the update is designed to stop.
- **Ignoring SMS/Call Correlation:** Assuming attack vectors are siloed (i.e., just focusing on email phishing) and neglecting the TOAD method which relies on SMS prompting a call.
- **Over-Permissiveness:** Granting blanket "Install Unknown Apps" or Accessibility Service exceptions via MDM policies, which negates the value of the OS-level friction layer.
## Resources
- **Android Compatibility Reference:** Monitor official documentation (e.g., Android CDD updates) for the finalized list of restricted settings being protected by the in-call feature.
- **Google Play Protect:** Ensure this service is active and updated on all devices to provide an additional layer of defense against malicious sideloaded apps.
- **Security Awareness Content:** Utilize vendor materials concerning social engineering tactics like "Vishing" (Voice Phishing) and TOAD to inform ongoing user education programs.