Google is rolling out a new security measure for Android called Developer Verification, aimed at reducing malware from apps sideloaded outside the official Google Play Store. While Google Play has required app publishers to provide a D-U-N-S (Data Universal Numbering System) number since August 2023—a move that significantly reduced malicious activity—this safeguard hasn’t applied to the vast ecosystem of apps distributed through other channels.
Sideloaded apps have remained a key vector for malware. According to Google, its analysis shows that apps installed from outside Google Play carry more than 50 times the malware risk. Attackers often impersonate trusted developers, leveraging brand familiarity to trick users into downloading malicious software. To address this, Google is expanding its developer verification requirements to include both apps in the Play Store and those on third-party app platforms.
Beginning in October 2025, Google will offer early access to its Developer Verification program. By March 2026, it will be open to all Android developers. The company plans to enforce the identity requirement starting in September 2026 in Brazil, Indonesia, Singapore, and Thailand, with global enforcement to follow in 2027.
Once fully implemented, Android will block the installation of sideloaded apps from unverified developers on certified devices, displaying a security warning instead. Certified Android devices are those that pass Google’s Compatibility Test Suite (CTS) and ship with Google Play Services, the Play Store, and Play Protect—this includes popular models from Samsung, Xiaomi, OnePlus, and Google Pixel, among others.
However, the policy won’t apply to non-certified devices, such as Huawei phones, Amazon Fire tablets, and various unlicensed or heavily modified devices, including many low-end Chinese TV boxes. Users of these devices will still be able to install APKs from unverified sources—albeit at their own risk.
With Developer Verification, Google aims to strike a balance between Android’s open ecosystem and the need for stronger user protections, especially as sideloaded threats continue to surge.
