In August, Google announced that it will implement a new safety feature that would require developers to verify their identities if they want Android users to be able to sideload their apps. Now, the company has started inviting developers that distribute exclusively outside of the Play Store to the early access of the identity verification feature in Android Developer Console. Google has also revealed in the same announcement that despite its new rule, it will give experienced users the option to sideload even unverified apps on their Android devices.
The company said it received feedback from developers and power users who want to retain the ability to download unverified apps. That is why it’s now building “a new advanced flow that allows experienced users to accept the risks of installing software that isn't verified.” Google didn’t delve into how it designed the feature and how it will determine if someone is a “power user,” but it’s already gathering feedback about it and will share more details in the coming months. It did say that it designed the flow to ensure users aren’t duped into bypassing safety checks by scammers, including showing them clear warnings about the risks involved.
As Google explained in its announcement, one common attack in Asia involves scammers calling victims and making them download malware disguised as legitimate applications. They pretend to be employees from a bank, warning victims that their account has been compromised and instructing them to sideload an app to secure their funds. The scammers would also pressure their targets to ignore security warnings while they’re sideloading the application. The malware in the bad actors’ app will then steal the victim’s login and intercept two-factor codes needed to access their bank account.
“While we have advanced safeguards and protections to detect and take down bad apps, without verification, bad actors can spin up new harmful apps instantly,” Google said. “It becomes an endless game of whack-a-mole. Verification changes the math by forcing them to use a real identity to distribute malware, making attacks significantly harder and more costly to scale.” It’s still early days for Google’s developer verification requirement, however, and it won’t be rolling out widely until late 2026.