Android Is Fighting Phone Scams With a New Feature to Prove Who’s Calling | WIRED

Overview

Android Is Fighting Phone Scams With a New Feature to Prove Who’s Calling

I've been covering spam calling for years, so when Google offered me details about a new Android feature built to detect and flag spoofed calls, I was ready to hear more. What I didn't expect from the demo was to hear my own voice.

Details

“I'm so excited to be interviewing you today about this new fake-call detection feature!” I heard myself saying, while a headshot I've used publicly for years popped up on the demo device. The caller ID name said “Lily.” “Unfortunately, I lost my wallet and I'm stuck. Any chance you can Venmo me so I can take an Uber to the interview?”

As my disembodied voice calmly made the ask, a pop-up appeared as an overlay on the regular call screen: “This may not be Lily. Someone may be pretending to call from your contact's number.”

For Android phones calling each other, the new feature does a digital validity check and flags with a pop-up warning if a call isn't coming from your contact’s smartphone and may be a scam. When the feature flags a call as a scam, it instantly removes the contact photo from the backdrop of the call to underscore the seriousness of the situation (not shown in the prototype demo Google made for WIRED). And the feature also changes the entry in Android’s recent call log to say “Unknown caller” instead of displaying the contact name.

Spam calls have been a scourge for decades, and the threat has only ramped up as attackers have started incorporating AI voice-cloning tools into their attacks—making it possible to convincingly mimic an acquaintance of a victim, or even a family member, in real time. And while a years-long push has improved detection of traditional robocalling, it hasn't eliminated the problem, and not all spam calls get flagged. Those calls that still slip through the cracks are particularly problematic as attackers focus their attention on impersonation scams—making it look like their call is coming from a number you trust, or at least recognize, and then using AI tools to sound like the person you expect when you pick up.

With these types of invasive and potentially devastating scams on the rise, Dave Kleidermacher, Android's vice president of security and privacy, and Eugene Liderman, director of Android security and privacy product, say that there was a real desire within Google to move defenses for victims forward. And they emphasized that while an obvious strategy is to attempt to fight fire with fire—to use AI tools to help detect voice clones in calls—this strategy alone is insufficient. It can have false positives and false negatives, but it can also feed an endless arms race between attackers and defenders.

“We’re always looking at whether there is a provable way, something much higher confidence that we can do,” Kleidermacher says.

The feature is built on the RCS communication standard and baked into the Google Dialer. Beginning today, it will start rolling out in updates for all Android phones running Android 12 (from 2021) and later. The mechanism uses RCS to digitally bind your phone number with your actual smartphone handset. When you call another Android user, your device will send what Kleidermacher describes as “a real-time, silent background confirmation signal” to the device of the person you're calling to verify the legitimacy of your call. If that hardware-based confirmation is missing, the Google Dialer will flag the call.

“If you’re calling me and we’re in each others’ mutual contacts databases, and we’re both using the Google dialer that has this capability built into it, then I will always know if it’s really you,” Kleidermacher says. “If someone tries to call me through a Vo IP session or some other mechanism and spoof your phone number and your voice, the Dialer will say that this is not you.”

The feature is meant to be very straightforward, and the pop-up for a potential scam call simply offers the option to hang up. Phones running Android 12 or later are ubiquitous around the world, but for the feature to truly have an impact, it would need to be incorporated into basically every device, including Apple's i Phones. Google says it intentionally built the feature on RCS so it will be maximally interoperable with as many platforms as possible. Apple did not immediately return a request for comment about whether it has any plans to implement the feature or a similar one in its i OS mobile operating system.

For now, Kleidermacher says he hopes the feature will play a role in protecting people from a type of scam that can fool anyone—with potentially disastrous consequences. “Some of these attacks individually are just very devastating,” he says. “People lose a lot, and it’s very scary.”

How to find us: Add WIRED.com to your preferred sources in Google

Big Story: AI gig work is the new waiting tables—and it's soul-crushing

This summer, the American water crisis becomes real

Event: How to adapt, compete, and win in the next era of business

Key Takeaways

Android Is Fighting Phone Scams With a New Feature to Prove Who’s Calling
I've been covering spam calling for years, so when Google offered me details about a new Android feature built to detect and flag spoofed calls, I was ready to hear more
“I'm so excited to be interviewing you today about this new fake-call detection feature
As my disembodied voice calmly made the ask, a pop-up appeared as an overlay on the regular call screen: “This may not be Lily
For Android phones calling each other, the new feature does a digital validity check and flags with a pop-up warning if a call isn't coming from your contact’s smartphone and may be a scam