Google aims to reduce Android malware with new developer verification

Google will require sideloaded apps to have verified developers in order to be installed on certified Android devices in a new effort to combat mobile malware.

The company announced Monday that, starting in September 2026, all Android apps downloaded in Brazil, Indonesia, Singapore and Thailand must be registered by a verified developer, with plans to expand the requirement globally in 2027 and beyond.

Since 2023, only developers of apps distributed through the official Google Play Store have been required to verify their identity or organization.

Currently, third-party apps from external sources can be sideloaded onto certified Android devices without any verification, although Google Play Protect, which is activated on certified devices by default, may still scan these apps for malware.

Google reported that a recent analysis found more than 50 times more malware in sideloaded apps compared with apps verified through the Google Play Store.

The company stated that requiring verification will make it more difficult for malicious actors to operate anonymously to impersonate legitimate developers and distribute harmful apps at a mass scale.

However, the announcement also emphasized that developer verification will be less rigorous than registering apps through the Google Play Store and still allow users freedom to sideload apps from outside sources.

“Think of it like an ID check at the airport, which confirms a traveler’s identity but is separate from the security screening of their bags; we will be confirming who the developer is, not reviewing the content of their app or where it came from,” Suzanne Frey, vice president of product, trust & growth for Android wrote on the Android Developers Blog.

To support the new verification process, Google will be building a new Android Developer Console specifically for developers who distribute apps outside of the Google Play Store.

To verify their identity, developers will be required to provide details including their legal name, address, email address, phone number, and potentially an official government ID. Organizations will also need to verify their website and provide a D-U-N-S number.

The information provided for verification will not be made available to those who install sideloaded apps, unlike for apps provided through the Google Play Store, Android Authority reported. Additional accommodation is also planned specifically for student and hobbyist developers, such as waiver of a $25 registration fee, according to Android Authority.

Early access to the verification process will be available in October 2025 to developers who sign up ahead of time, with verification being open to all developers starting in March 2026, according to Google’s planned timeline.

Brazil, Indonesia, Singapore and Thailand will be the first countries where verification is required due to these countries being especially targeted by mobile attacks, according to Google. The company reported positive feedback from government and industry officials in these countries, including the Brazilian Federation of Banks (FEBRABAN), which stated the change is a “significant advancement in protecting users and encouraging accountability.”

Google’s announcement comes as a recent report by Zscaler ThreatLabz revealed that 77 malicious apps with a total of more than 19 million installations were discovered on the Google Play Store, managing to bypass the official store’s protections. Among these apps was the Anatsa banking trojan, which targets more than 831 financial institutions globally and is spread through seemingly benign decoy apps such as document readers.

Zimperium’s zLabs also reported this week that a new version of the Hook Android banking trojan now has ransomware-like capabilities along with 40 new remote commands. Hook is typically distributed through sideloading from malicious GitHub repositories.

In contrast to Google, Apple has long required all apps to be distributed through the official Apple App Store, a practice which was challenged last year by the European Union’s Digital Markets Act. The competition regulation required Apple to allow iOS apps to be sideloaded from alternative app marketplaces in the EU, which the company argued put users at an increased risk of cyber threats.

“Because users trust Apple to keep their devices protected, they have not had to worry about whether their source of third-party apps or their in-app payment system posed a threat to them. Users will no longer be able to assume that protection,” the company said in a March 2024 whitepaper.