This feature, first uncovered since the QPR2 Beta 1 release, and titled “scanning for deceptive apps,” resides under Settings > Security & privacy > More security & privacy. Once enabled, the feature will scan app activity for signs of phishing or other deceptive behavior. Google assures users that the scanning happens privately on the device, and only if suspicious behavior is detected will app information be sent to Google Play Protect for confirmation and user warnings.

While the feature’s existence seems to be a done deal based on what was found in the code, specific details on how it operates are still unclear. Google hasn’t officially announced or documented it, leaving many questions unanswered. However, a closer look at the decompiled source code reveals a system service called “ContentProtection” that appears to be responsible for detecting deceptive app behavior.

The “ContentProtection” service seems to focus on identifying apps that attempt to display password fields or request related information like usernames, emails, phone numbers, and login credentials. It appears to utilize a blocklist to exclude specific apps from this scrutiny and also considers whether an app is a system app or requires internet permission.

While the effectiveness of this built-in anti-phishing feature remains to be seen, it represents a significant step forward in Android’s security posture. As malware continuously evolves to bypass detection mechanisms, any additional layer of protection is valuable. This feature has the potential to save users from falling victim to phishing scams and safeguarding their sensitive information.