Google to Require App Verification for Android Sideloading with Power User Bypass
Google has announced a new policy requiring all Android apps installed outside the Google Play Store to undergo developer verification, aiming to curb the rise of malware and scam campaigns exploiting sideloading. The company cited increasingly aggressive online threats and the use of social engineering tactics that prompt users to bypass existing security warnings, leading to the installation of malicious applications. Under the new system, unverified apps will be blocked from installation on Google-certified devices, with the goal of making it harder for threat actors to distribute harmful software.
In response to backlash from users and developers concerned about the impact on Android's openness, Google has stated that it will provide an exemption mechanism for "experienced users" or power users, though the specifics of this bypass have not yet been finalized. The move represents a balancing act between enhancing platform security and maintaining the flexibility that has traditionally set Android apart. Google has previously faced criticism for similar restrictions and appears to be adjusting its approach to address both security and user autonomy concerns.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Google announces Android developer verification and app registration rollout
Google announced a developer verification program for all Android developers and an app registration system linking apps to verified developer identities. The company said developers can begin verification immediately, with user-facing protections starting in September 2026 in Brazil, Indonesia, Singapore, and Thailand before expanding globally in 2027.
Google publishes Android developer verification documentation
Google published official Android Developers documentation for developer verification, indicating a concrete implementation or formalization of verification requirements for Android developers. This represents a later development distinct from the November 2025 registration-rule rollback and sideloading policy changes.
Google reverses course on new Android developer registration rules
Google backtracked on newly introduced Android developer registration requirements after criticism, signaling a rollback or revision of the planned rules. This represented a separate policy response affecting how developers register for Android app distribution.
Google announces Android sideloading verification with power-user bypass
Google announced upcoming Android changes that will require verification of sideloaded apps, while also saying advanced users will be able to bypass the new restrictions. The announcement marked a significant policy shift in how Android will handle app installation outside official channels.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Android developers just got a new verification layer - Help Net Security
helpnetsecurity.com
Open sourceAndroid developer verification | Android Developers
developer.android.com
Open sourceGoogle backpedals on new Android developer registration rules
bleepingcomputer.com
Open sourceGoogle will let Android power users bypass upcoming sideloading restrictions
arstechnica.com
Open sourceAndroid Sideloading Crackdown: Google to Verify All Apps, But Promises Power-User Bypass
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


