Another large wave of spam has been hitting Google Drive users over the past few weeks. You might have noticed it either through an email in your Gmail inbox or a notification on your phone — or both — saying that an unknown email address mentioned you in a document. The comment includes a URL that you should absolutely not click. This is not the first time spammers have abused Drive, Calendar, or even Photos, and it likely won't be the last. Google's steps to remedy the different situations have been nothing but a band-aid over a bleeding, gaping hole. A more radical solution should be implemented at a higher level.

Phishing spam has been an issue in Google services for years now for the simple reason that anyone with your email address can invite you to an event or share with you a file or photo without your prior approval. If your email address leaked at any point in time — not from a Gmail breach, I should clarify, but from other services where you signed in with your Gmail address, like Spotify or Dropbox — then it's public and fair game to a bunch of malevolent spammers.

Once that happens, there's no stopping the deluge of crap you'll be subjected to. Gmail does a good job of throwing scammy emails into its spam folder, but other Google services don't have such a filter. Google+ and Hangouts suffered from this issue and it wasn't until an option to disable invites/chats from people outside of your contact list was implemented that the unwanted messages and calls stopped.

Calendar, Drive, and Photos don't have a similar toggle, and spammers have been abusing this open door for years. Even though there's no huge wave of Calendar or Photos spam now, dozens of threads have complained about it in the past few months, saying they're getting photos from people they don't know, or events they don't approve of are getting added to their calendars. Some of this behavior is getting flagged by Google's systems and the calendar events are eventually hidden away automatically, but they still show up in unlikely places, like Android Auto and Calendar's search.

Drive, however, is seeing this new orchestrated spam attack that exploits document comments to mention anyone by their email address and send a dangerous phishing URL their way. Aside from the multitude of online reports and complaints, many of us on the Android Police team have received these too, and we verified there's nothing we can do stop them. 9to5 Google shared a way to filter the automatic emails these comments send to your inbox, but that just means you won't see the email, it doesn't mean the comments and shares will stop for real. On Android, you can disable the Google Drive app's comments notification channel, but again, that just means you won't see it. It's still there. The only real step you can take is report each of these as abuse and spam, to hopefully help Google's algorithms catch them faster.

Google says it's working on stopping this new phishing method, but we all know a new one will come sooner or later. Even when there's no large-scale spam campaign like this one, there are always small ones affecting users here and there.

Using algorithms to detect spam after it happens is clearly not a solution to this recurring problem, because as long as there's a door, whether it's wide open or slightly ajar, scammers will slip right in.

The only way to stop this kind of abuse is to nip it in the bud. Let users set privacy preferences in Calendar, Drive, and Photos to only allow event invites or file shares and mentions from people in their contacts. Better yet, make that the default, and let those who want to open up their email address opt out of it manually so it's a conscious choice. If you close access and someone outside of your contacts wants to share anything with you, they'd have to request to do so beforehand. (And make that request text-only, so there's no room for phishing.)

This would be slightly more inconvenient, but it's not any different from the various privacy-centered firewalls many services have implemented. In WhatsApp, users can choose to not be automatically added to groups unless they know the admin or manually approve the invite. On Twitter, you can only allow DMs from people you follow. On Instagram, you can limit tags, comments, and mentions to people you follow, or better yet, make your whole account private. A similar option from Google would be greatly appreciated.

  • Thanks:
  • DC,
  • Tejus