In August, Google announced that it would implement a new security feature that will require developers to verify their identities if they want Android users to be able to sideload their apps. Now, the company has started inviting developers who distribute exclusively outside the Play Store for early access to the identity verification feature in the Android Developer Console. Google also revealed in the same announcement that despite its new rule, it will still give experienced users the option to sideload unverified apps onto their Android devices.
The company said it has received feedback from developers and power users who want to retain the ability to download unverified apps. That’s why it’s now “creating a new advanced flow that allows experienced users to accept the risks of installing software that is not verified.” Google didn’t reveal how it designed the feature and how it will determine whether someone is a “power user,” but it’s already gathering feedback about it and will share more details in the coming months. It said it has designed the flow to ensure users are not duped by scammers by bypassing security checks, including showing them clear warnings about the risks involved.
As Google explained in its announcement, a common attack in Asia involves scammers calling victims and getting them to download malware disguised as legitimate applications. They pretend to be employees of a bank, warn victims that their account has been compromised and instruct them to sideload an app to secure their funds. Scammers will also pressure their targets to ignore security warnings when sideloading applications. The malware in the bad actors’ app will then steal the victim’s login and intercept the two-factor code needed to access their bank account.
“While we have advanced security measures and safeguards to detect and remove bad apps, without verification, bad actors can quickly create new harmful apps,” Google said. “It becomes an endless game of whack-a-mole. Verification changes the math by forcing them to use real identities to distribute malware, making attacks significantly harder and more expensive to scale.” However, it’s still early days for Google’s developer verification requirement, and it won’t be widely implemented until late 2026.