To combat malware and financial scams, Google announced today that only apps from developers that have undergone verification can be installed on certified Android devices starting in 2026.
This requirement applies to “certified Android devices” that have Play Protect and are preloaded with Google apps. The Play Store implemented similar requirements in 2023, but Google is now mandating this for all install methods, including third-party app stores and sideloading where you download an APK file from a third-party source.
Think of it like an ID check at the airport, which confirms a traveler’s identity but is separate from the security screening of their bags; we will be confirming who the developer is, not reviewing the content of their app or where it came from.
Google wants to combat “convincing fake apps” and make it harder for repeat “malicious actors to quickly distribute another harmful app after we take the first one down.” A recent analysis by the company found that there are “over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.”
Google is explicit today about how “developers will have the same freedom to distribute their apps directly to users through sideloading or to use any app store they prefer.”
This new requirement sees Google create a new Android Developer Console for those that only distribute outside of Google Play. Students and hobbyists will get a separate workflow that differs from commercial developers.
Top comment by Sominemo
I'm struggling to see the benefit of this new policy. While it's presented as a security measure, the requirement to fill out these forms seems like a trivial barrier for actual malware creators, who will easily abuse the system. The real impact will be felt by legitimate developers who either value their privacy or don't want to be tied to Google's centralized ecosystem.
My primary concern is the potential for mismanagement, which could disproportionately harm independent developers. We've already seen how Google's automated systems can randomly ban established developers from Google Play with little to no feedback. A system like this, which grants Google even more oversight, could easily make this problem worse.
It's unclear if this will be a simple layer like Play Protect (which users can at least disable) or something far more restrictive that ruins the openness of the platform.
The lack of clarity is troubling. The developer community needs to be ready to push back and engage with regulators if this policy proves to be as damaging as it seems. But without concrete details from Google, it's difficult to know if a strong protest is warranted yet. My fear is that by the time we have clarity, the policy will already be in effect, and it will be too late.
Those that distribute via Google Play “likely already met these verification requirements through the existing Play Console process,” with a D-U-N-S number for organizations needed.
The first Android app developers will get access to verification this October, with the process opening to all in March 2026.
The requirement will go into effect in September 2026 for users in Brazil, Indonesia, Singapore, and Thailand. Google notes how these countries have been “specifically impacted by these forms of fraudulent app scams.” Verification will then apply globally from 2027 onwards.
At this point, any app installed on a certified Android device in these regions must be registered by a verified developer.
Google notes “supportive initial feedback” from government authorities and other parties:
- …with Indonesia’s Ministry of Communications and Digital Affairs praising it for providing a “balanced approach” that protects users while keeping Android open.
- …Thailand’s Ministry of Digital Economy and Society sees it as a “positive and proactive measure” that aligns with their national digital safety policies.
- In Brazil, the Brazilian Federation of Banks (FEBRABAN) sees it as a “significant advancement in protecting users and encouraging accountability.”
FTC: We use income earning auto affiliate links. More.
Comments