Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams
Google on Thursday announced a new “improved flow” for Android sideloading that requires a mandatory 24-hour waiting period to install apps from uncertified developers in an effort to balance openness and security.
The new changes come on the back of a developer verification mandate the giant announced last year that requires all Android apps to be registered by certified developers to be installed on certified Android devices. The move, he added, is meant to flag bad actors quickly and prevent them from spreading malware.
This also includes possible situations where hackers trick unsuspecting users who install such programs into giving them elevated privileges that make it possible to disable Play Protect, an anti-malware feature built into all Google-approved Android devices.
However, the mandatory registration requirements have been met with criticism from more than 50 app developers and marketplaces, including F-Droid, Brave, the Electronic Frontier Foundation, Proton, Tor Project, Vivaldi, who say they risk creating conflicts and barriers to entry, and raise privacy and surveillance concerns if there is no clarity about what personal information, developers will use, and how it is protected under government requests or legal processes.
As a way to solve some of these vexing issues, Google has emphasized that the new enhanced flow allows power users to retain the ability to release apps alongside uncertified developers through a one-time process that requires them to follow the steps below –
- Enable developer mode in system settings.
- Make sure they take this step voluntarily and are not coached.
- Restart the phone and re-authenticate to prevent the scammer from monitoring the user’s actions.
- Wait for a period of 24 hours and confirm that they really make this change by verifying the device’s biometric or PIN.
- Install apps from unverified developers once users understand the risks, permanently or for a period of seven days.
“In that 24-hour period, we think it becomes more difficult for attackers to continue their attacks,” Android Ecosystem President Sameer Samat was quoted as saying by Ars Technica. At that point, you may find that your loved one is not really arrested or that your bank account is not really being raided.
Google also said it plans to offer free “limited distribution accounts” that allow hobbyist developers and students to share apps with up to 20 devices without “providing a government-issued ID or paying a registration fee.”
It is worth noting that the procedure mentioned above does not apply to installations via Android Debug Bridge (ADB). Limited distribution accounts for students and hobbyists, as well as advanced user flows, will be available in August 2026, before new developer verification requirements go into effect the following month.
“We know that a ‘one size fits all’ approach doesn’t work for our diverse ecosystem,” Google said. “We want to make sure identity verification isn’t a barrier to entry, so we offer different options to fit your specific needs.”
This development coincides with the emergence of a new Android malware called Perseus that is targeting users in Turkey and Italy for the purpose of device takeover (DTO) and financial fraud.
In these four months, at least 17 malware families have been discovered in the wild. They include FvncBot, SeedSnatcher, ClayRat, Wonderland, Cellik, Frogblight, NexusRoute, ZeroDayRAT, Arsink (and its enhanced variant SURXRAT), deVixor, Phantom, Massiv, PixRevolution, TaxiSpy RAT, BeatBanker, Mirax RAT, and Oblivi.
