Google has announced a profound change in the way applications are installed on Android: starting in the next few months, publishers will have to verify your identity so that your apps can run on Google-certified devices, even when downloaded outside the official store.
The measure aims to reduce fraud and malware without closing the door to external facilities. In other words, the side loading will still be possible, but with a traceability layer that identifies who is behind each app and complicates the anonymity of malicious actors.
Schedule and countries in the first deployment
Google has defined a phased plan with Key datesEarly access will open by invitation in October 2025; verification will be available to all developers in March 2026; and mandatory verification will be available in the first markets of Brazil, Indonesia, Singapore, and Thailand in September 2026.
After that phase, the rollout will be extended to more countries until it is completed in 2027. If a user tries to install an app from an unverified publisher on a certified device, the system will display a security notice and will block the installation until the developer regularizes its situation.
What's changing for sideloading and alternative stores?
El side loading —installing APKs from the web or third-party stores—hasn't gone away, but it remains subject to a universal requirement: Every app must come from a verified developer when installed on a Google-certified Android device.
Google compares the change to an identity check at an airport: it checks who you are, not what you have in your suitcase. The content and origin of apps will continue to be reviewed by Google Play Protect, while the identity will go through a new console designed for those who distribute outside of the Play Store.
With this additional layer, the company seeks to make it difficult cybercriminal recidivism that could previously reappear under other identities, reducing brand spoofing and the reposting of blocked apps.
Verification requirements for developers
To pass verification, Google will request basic information and, in the case of organizations, additional information. The goal is to have an identifiable person responsible behind every application.
- Personal data: legal name, address, email and phone number.
- Organizations: D‑U‑N‑S number, website verification, and, if applicable, official documentation.
- App property: package name and signature keys to prove ownership.
There will be a lighter channel for students and hobby developers, with less bureaucracy and without the $25 registration feeIn all cases, the identity is validated in a dedicated console for external distribution and in the Play Developer Console for those publishing on the store.
Affected devices and those left out
The obligation applies to devices that have passed the Compatibility Test Suite and have Google services, i.e. certified Android devices with access to Google Play and Play Protect. Brands such as Samsung, Xiaomi, Motorola, OnePlus, Oppo, Vivo, and Pixel fall into this category.
Instead, terminals not certified —like many Huawei models, Amazon Fire tablets, or certain TV boxes—are not subject to this requirement and will be able to continue installing apps from any source without the new identity check.
The context: malware campaigns and cleanup on Google Play
The reinforcement comes after several episodes that have tested the security of the ecosystem. According to a Zscaler ThreatLabs analysis, 77 malicious apps with more than 19 million downloads, where adware (almost two-thirds), Joker variants, and banking Trojans such as Anatsa/TeaBot predominated.
Joker is able to subscribe to premium services without consent and read or send SMS, while Anatsa exploits accessibility permissions to overlay financial apps and steal credentials; Harly and other families hide malicious code to evade controls.
These campaigns employed techniques such as modified APKs, dynamic encryption, and emulator detection. Google quickly removed the reported apps, but they recommend users manually check your devices because previous installations may still be active.
- Keep activated Google PlayProtect.
- Check origin and reviews before installing.
- Grant only essential permits.
- Avoid external sources Google Play when it is possible.
- contact him booth and change credentials if there are signs of fraud.
Google is trying to raise the security bar of the Android ecosystem without giving up its historical openness: external installations will still be allowed, but under verified identity, warnings and blocks when the requirements are not met. With a schedule that starts in 2026 and extends globally in 2027, users and developers have room to adapt to the new processes and tools.
