Pump my Android safely: cybersecurity implications of the new app verification introduced by Google

August 29, 2025

With a goal to curb malware and financial scams, Google has announced a new policy requiring developer verification for all Android app installations on certified devices – those with preloaded Google Mobile Services (like Samsung, Pixel, and others) — starting in 2026, extending beyond the Google Play Store to include sideloading and third-party app stores in an effort to curb malware and financial scams.

While currently users can install apps on devices running Android in different ways – they can download them from Google Play or other available stores, but also sideload them from APK (Android Package Kit used to distribute and install apps on Android OS) files, bypassing store moderation. The new “ID check” is going to verify developers’ identities. The rollout begins with verification access in October 2025 for select developers, opens to all in March 2026, and enforcement starts in September 2026 in “high-risk” countries like Brazil, Indonesia, Singapore, and Thailand before going global in 2027.

Google’s new developer verification policy for Android apps is a timely response to an evolving mobile threat landscape. According to Kaspersky’s report, attacks on Android smartphones in Q1 2025 increased, with the number of detected malware samples reaching 180,000 (up 27% from Q4 2024). Threats were blocked on devices of over 12 million smartphone users (up 36% from Q4 2024). The upward trend in attacked users has continued since Q3 2024. Common threats include phishing apps and stealers disguised as legitimate software.

“A major security issue in this landscape is the ability for users to install unverified apps from outside stores. These direct downloads bypass additional safeguards such as Google Play checks before app publication. While installing unverified APK files offers flexibility for power users, it essentially turns the device into a potential entry point for attacks, underscoring the need for stricter controls”, comments Tatyana Shishkova, Lead Security Researcher, Global Research and Analysis Team at Kaspersky. “Overall, requiring verification for all app developers who want their apps to run on Google-certified devices is a positive step forward in bolstering Android’s security”, she added. 

The new verification policy will apply only to Android devices with preloaded Google Mobile Services and Play Protect; smartphones running de-Googled ROMs, such as those on LineageOS or Android versions without Google Services (like Huawei devices), remain unaffected and can continue to sideload unverified APK files.

Despite Google Play’s security measures, malicious apps still infiltrate the store, with thousands of downloads identified in 2025 alone, often masquerading as legitimate software to steal data or deliver malware. These threats, including trojans and phishing apps, exploit gaps in app review processes and user trust, underscoring that even official stores aren’t immune to the Android malware surge. Kaspersky found malware on Apple’s AppStore as well. So it’s important for users to be aware of risks when installing apps from any source, and use a trusted mobile protection solution, such as Kaspersky for Android.

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company’s comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and nearly 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com