Google has announced a new security update for Android that introduces a mandatory 24-hour waiting period before users can install apps from unverified developers. The move is aimed at reducing malware attacks and online scams while maintaining Android’s open ecosystem.
New ‘Advanced Flow’ for App Sideloading
The update introduces an “advanced flow” system that allows users to sideload apps—but with stricter safeguards.
To install apps from unverified sources, users must:
- Enable Developer Mode
- Confirm they are acting voluntarily
- Restart the device and re-authenticate
- Wait for 24 hours
- Verify again using PIN or biometrics
After completing these steps, users can install apps either temporarily (for 7 days) or permanently.
Focus on Preventing Scams and Malware
The change is designed to tackle growing threats where cybercriminals:
- Trick users into installing malicious apps
- Gain elevated permissions
- Disable built-in protections like Play Protect
According to Android Ecosystem President Sameer Samat, the delay gives users time to reconsider suspicious actions and avoid scams.
Developer Verification Policy
This update follows Google’s earlier decision to require:
- All developers to be verified
- Apps to be registered before installation on certified Android devices
The goal is to quickly identify bad actors and limit malware distribution.
Criticism From Developers and Privacy Groups
The policy has faced criticism from organizations such as:
- F-Droid
- Brave
- Electronic Frontier Foundation
- Proton
- The Tor Project
- Vivaldi
Concerns include:
- Increased barriers for independent developers
- Privacy risks related to identity verification
- Lack of clarity on how developer data is handled
New Option for Small Developers
To address these concerns, Google plans to introduce:
- Limited distribution accounts
- Allowing app sharing with up to 20 devices
- No requirement for government ID or fees
This aims to support students and hobby developers.
Rollout Timeline
- Advanced sideloading flow: August 2026
- Developer verification enforcement: September 2026
Notably, the new restrictions do not apply to ADB (Android Debug Bridge) installations.
Rising Malware Threats
The update comes amid increasing Android security threats, including a new malware strain called Perseus, targeting users in Europe for:
- Device takeover
- Financial fraud
In the past four months alone, 17 malware families have been identified, highlighting the urgency of stronger protections.
