Article Details

Google to verify all Android devs to block malware on Google Play. Google is introducing a new defense for Android called ‘Developer Verification’ to block malware installations from sideloaded apps sourced from outside the official Google Play app store. For apps on Google Play, there was already a requirement for publishers to provide a D-U-N-S (Data Universal Numbering System) number, introduced on August 31, 2023. Google says this has had a notable effect in reducing malware on the platform. However, the system didn’t apply to the vast developer ecosystem outside the app store. “We’ve seen how malicious actors hide behind anonymity to harm users by impersonating developers and using their brand image to create convincing fake apps,” reads Google’s announcement. “The scale of this threat is significant: our recent analysis found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.” Although the threat is more prevalent outside Google Play, the developer verification requirement applies to both apps on Google Play and apps hosted on third-party app stores. Starting in 2026, all apps installed on certified Android devices must come from developers who have verified their identity with Google. Early access to the Developer Verification program will begin this year in October, and the system will open to all Android application developers in March 2026. In September 2026, the identity verification requirement will become mandatory for Brazil, Indonesia, Singapore, and Thailand, before it rolls out globally in 2027. The expected effect is to have sideloading, non-compliant apps blocked by the operating system with a security message on certified devices. Certified Android devices are those that have passed Google’s Compatibility Test Suite (CTS) and are approved to ship with Google Play Services, Play Store, and Play Protect. In practice, this encompasses all mainstream devices from Samsung, Xiaomi, Motorola, OnePlus, Oppo, Vivo, and the Google Pixel line. Non-certified devices are those from Huawei, Amazon Fire tablets, and shady Chinese TV boxes or smartphones that use heavily modified OS images and questionable components. Those devices are not subject to the new rule enforcement, and their users will be able to continue sideloading APKs from unverified and anonymous developers. Picus Blue Report 2025 is Here: 2X increase in password cracking 46% of environments had passwords cracked, nearly doubling from 25% last year. Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.