Google on Thursday announced a new “advanced flow” for Android sideloading that requires a 24-hour waiting period to install apps from unverified developers in an effort to balance openness and security.
The new changes come on the back of the developer verification mandate the tech giant announced last year, which requires all Android apps to be registered by a verified developer and installed on a certified Android device. It added that the move was made to quickly flag malicious actors and prevent them from distributing malware.
This also includes a potential scenario where cybercriminals could trick unsuspecting users who sideload such apps into granting them elevated privileges that would allow them to turn off Play Protect, the anti-malware feature built into all Google-certified Android devices.
However, mandatory registration requirements include F-Droid, Brave, The Electronic Frontier Foundation, Proton, The Tor The criticism comes from more than 50 app developers and marketplaces, including Project and Vivaldi, who say the lack of clarity over what personal information developers must provide, how this data will be stored, protected and used, and whether it may be subject to government requests or legal process risks creating friction and barriers to entry, and raises privacy and surveillance concerns.
As a way to quell some of these thorny issues, Google highlighted a newly developed advanced flow that allows power users to maintain the ability to sideload apps from unverified developers in a one-time process that requires them to follow the steps below.
Enable developer mode in system settings. Make sure they are doing this step of their own accord and are not being coached. Restart your phone and re-authenticate so that scammers can’t monitor your actions. Wait 24 hours and verify that this change has actually occurred using biometrics or device PIN. Once users understand the risks, they will install apps from unverified developers indefinitely or for 7 days.
“During that 24-hour period, we believe it will be much more difficult for attackers to continue their attacks,” Sameer Samat, president of the Android ecosystem, reportedly told Ars Technica. “By then, you’ll probably know that your loved one isn’t actually in jail and your bank account isn’t actually under attack.”
Google also said it plans to offer free “limited distribution accounts” that allow hobby developers and students to share apps on up to 20 devices without “providing a government-issued ID or paying a registration fee.”
Please note that the above process does not apply to installations via Android Debug Bridge (ADB). Limited distribution accounts for students and hobbyists and advanced flows for users will be available in August 2026 before new developer verification requirements go into effect next month.
“We know that a ‘one size fits all’ approach doesn’t work for our diverse ecosystem,” Google said in a statement. “We want to ensure that identity verification is not a barrier to entry, so we offer a variety of paths to suit a customer’s specific needs.”
This development coincides with the emergence of a new Android malware called Perseus that is actively targeting users in Turkey and Italy for device takeover (DTO) and financial fraud.
At least 17 Android malware families were detected in the wild over a four-month period. These include FvncBot, SeedSnatcher, ClayRat, Wonderland, Cellik, Frogblight, NexusRoute, ZeroDayRAT, Arsink (and its improved version SUXRAT), deVixor, Phantom, Massiv, PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT.
Source link
