Google Tightens Android 17 Privacy Rules, Blocks 8.3 Billion Ads in 2025

Executive Summary

Google has implemented stricter privacy controls for Android 17, introducing new Play Store policies that significantly limit how third-party applications can access user contact lists and location data. The announcement coincides with the publication of Google's 2025 Ads Safety Report, which reveals the company blocked or removed over 8.3 billion advertisements that violated its policies and suspended 24.9 million advertiser accounts during the year, highlighting the scale of enforcement against malicious and fraudulent online advertising.

Technical Analysis

The core of the new Android policy, set to take effect later in 2026, targets the READ_CONTACTS and background location permissions. According to Google, the changes are designed to prevent unnecessary data collection and limit potential abuse vectors for fraud, spam, and social engineering. Under the updated rules, applications must now demonstrate a "primary in-app purpose" that is user-facing and directly requires contact or location data to function. Vague justifications, such as "social features" or "security purposes," will no longer be sufficient for approval. This represents a technical enforcement shift at the Google Play review level, moving beyond runtime permission prompts to gate access at the point of app publication and update. The policy does not affect core system functionality or apps where contact/location access is intrinsic to the stated purpose, such as a default messaging or navigation app.

Tactics, Techniques & Procedures

The ad safety data points to the continued massive scale of malicious advertising tactics. While Google did not provide a full technical breakdown of the 8.3 billion blocked ads, its past reports categorize major policy violations as encompassing fraud (fake goods, phishing, scams), inappropriate content, and abuse of the ad network for malware distribution or unauthorized data collection. The suspension of 24.9 million accounts indicates a persistent actor ecosystem that relies on creating disposable identities to bypass detection, a technique known as "bulk account creation" (T1585.001). The new Android permission policies aim to disrupt a related technique: abusing legitimate app permissions (T1574) to harvest sensitive data (contact lists, precise location) that can later be used for targeted phishing (T1598), fraud, or sold on criminal forums.

Threat Actor Context

The threat actors impacted by these changes are broad, encompassing the ad-fraud ecosystem, scammers, and data-harvesting operations. The ad fraud landscape includes both sophisticated cybercriminal groups operating large-scale invalid traffic (IVT) schemes and lower-skilled actors deploying phishing lures. The data privacy changes directly affect actors who have relied on repackaging or creating seemingly benign apps with overly broad permissions to build databases of personal information for secondary exploitation. Google's report does not attribute the blocked activity to specific named threat actor groups, framing it as an ecosystem-wide enforcement action.

Mitigations & Recommendations

For Android users and enterprises:

• Review application permissions regularly, especially for READ_CONTACTS and background location access, and revoke them for apps where the need is not clear.
• Exercise caution with new or unfamiliar apps requesting sensitive permissions, even from official stores.
• Organizations should update mobile application management (MAM) and bring-your-own-device (BYOD) policies to reflect the heightened sensitivity of contact and location data.

For developers:

• Audit existing applications for compliance with the new "primary in-app purpose" standard for contact and location permissions.
• Prepare to justify these permission requests in detail during the Google Play app review process and consider implementing more granular, just-in-time data request flows.
• Minimize data collection to only what is strictly necessary for app functionality, adhering to the principle of least privilege.