There's quite a gap between this sort of opportunistic scamming that's happening all over the world and targeted multi-year campaigns that probably require the resources of a nation state.

True, but that kinda misses the point.

One way to look at it: there are many open source projects targeting Android, projects that gain some sense of legitimacy over being open source yet have few (if any) eyes vetting them. Or, perhaps, the project is legitimate but people are getting third-party builds. That is what F-Droid does. That is what the developer of a third-party ROM does. It would not require the resources of a nation state to compromise them. I am not trying to cast a shadow on open source projects or F-Droid here. I am simply using them as an example because I use said software and am familiar with that ecosystem. The same goes for any software obtained outside of the Play Store, and it's likely worse since there is no transparency in those cases. Heck, the same goes for software obtained through the Play Store (but we're probably talking about nation state resources on that front).

Another way to look at it: we are only considering a specific avenue for exploitation here. If you close it off, the criminals will look for others. I would be surprised if they weren't looking for ways to bypass Google's checks. I would be surprised if they weren't looking for weaknesses in popular apps. Then there is social engineering. While convincing someone to install software is likely desirable, it certainly isn't the only approach.

Either way, I don't think Google's approach is solving the problem and I think it is going to do a huge amount of damage. Let's face it: major corporations aren't a paragon of goodness, yet Google's shift is handing them the market.

> targeted multi-year campaigns that probably require the resources of a nation state

Ha ha ha, "resources of a nation state"! One could run phishing campaigns at scale over many years without breaking the bank. This was true before LLMs, it's probably even cheaper now.