Google has made a security policy regarding the Android ecosystem.Further explanationAlthough strict identity verification standards for application "sideloading" are about to be implemented, the official website has also confirmed that in the future, "experienced users" will still be given the option to install applications from unverified developers, provided they fully understand the risks.
This policy change shows that Google is trying to find a new balance between strengthening system security and maintaining the openness of Android.
Developers will be required to verify their identity; otherwise, sideloading will be blocked.
Back in August of this year, Google announced it would implement a...New security featuresThe requirement is that developers must verify their identity if they want their applications to be sideloaded by Android users (i.e., installed directly as APK files without going through the Google Play Store).
Google has begun inviting developers who "exclusively distribute their apps outside the Play Store" to participate in early access testing of the authentication feature through the Android Developer Console. The main purpose of this move is to curb the proliferation of malware, especially fraudulent apps rapidly generated by anonymous malicious actors.
In response to community feedback, an "advanced process" to bypass the restrictions will be provided.
However, this restriction has also raised concerns among some developers and Power Users (heavy users), who believe it could stifle the long-standing freedom of the Android system.
In response, Google stated in its announcement that after receiving feedback from developers and advanced users who wanted to retain the ability to download unverified apps, the company decided to adjust its approach. Google stated that it is currently building a "new advanced flow" that allows experienced users to choose to "accept the risk of installing unverified software."
While Google hasn't detailed how it defines or determines who is an "experienced user," nor has it shown the specific design of the process, the company emphasizes that the process is designed to ensure that ordinary users are not misled by scammers and accidentally trigger it. The system will display "clear warnings" about potential risks. Google is currently collecting feedback on this mechanism and expects to share more details in the coming months.
Targeting common scams in Asia: Impersonating bank customer service to lure users into downloading content.
Google's extensive efforts to restrict sideloading are primarily aimed at combating specific types of cyberattacks. Google explains that, particularly in Asia, a common attack tactic involves fraudsters impersonating bank employees, calling victims, claiming their accounts have been hacked, and instructing them to "sideload" an application purported to protect funds but which is actually malware.
During the process, scammers often use persuasive tactics to pressure victims into ignoring security warnings that pop up in the system. Once installed, these malicious apps steal victims' login credentials and can even intercept two-factor authentication (2FA) codes required to access bank accounts.
Google stated frankly: "Although we have advanced safeguards to detect and remove malicious apps, without identity verification, malicious actors can instantly create new harmful apps, turning it into an endless game of whack-a-mole."
By mandating verification, Google hopes to force attackers to use real identities to distribute malware, significantly increasing the difficulty and cost of their attacks. However, this verification requirement for developers is still in its early stages and is not expected to be widely rolled out until the end of 2026.
