Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams

On Thursday, Google announced a new "advanced flow" for sideloading Android apps This article explores apps unverified developers. . This flow requires a 24-hour wait period before installing apps from developers who aren't verified.

The goal is to find a balance between openness and safety. The tech giant announced a developer verification requirement last year that says that all Android apps must be registered by verified developers in order to be installed on certified Android devices. These new changes come in response to that requirement. It also said that the change was made to make it easier to find bad actors and stop them from spreading malware.

This also includes possible situations in which cybercriminals trick unsuspecting users into giving them higher permissions that let them turn off Play Protect, the built-in anti-malware feature on all Google-certified Android devices.

More than 50 app developers and marketplaces, such as F-Droid, Brave, The Electronic Frontier Foundation, Proton, The Tor Project, and Vivaldi, have spoken out against the mandatory registration requirements. They say they could cause problems and make it harder for new developers to get started. They also raise privacy and surveillance concerns because it is not clear what personal information developers must provide, how this data will be stored, secured, and used, or if it could be subject to government requests or legal processes.

To help with some of these difficult problems, Google has made it clear that the new advanced flow lets power users continue to sideload apps from unverified developers with a one-time process that requires them to follow the steps below: Enable developer mode in system settings. Make sure they are doing this on their own and not because someone is telling them to. To stop a scammer from watching what a user does, restart the phone and log in again.

Wait 24 hours and then check to see if they really are making this change by using biometric authentication or a device PIN. Users can install apps from developers who aren't verified for a set amount of time, either permanently or for seven days.

"During that 24-hour period, we believe it becomes much harder for attackers to continue their attack," Sameer Samat, President of the Android Ecosystem, told Ars Technica. "During that time, you can probably find out that your loved one isn't really in jail or that your bank account isn't really being hacked."" Keep in mind that the process described above does not work for installations made through the Android Debug Bridge (ADB).

Limited distribution for students and hobbyists, as well as advanced flow for users, will be available in August 2026, before the new developer verification rules go into effect the following month. Google said, "We know that a 'one size fits all' approach doesn't work for our diverse ecosystem."

"We want to make sure that identity verification doesn't keep people from getting in, so we're offering different ways to meet your needs." The development comes at the same time as the rise of a new Android malware called Perseus, which is actively targeting users in Turkey and Italy in order to take over their devices and commit financial fraud. At least 17 different types of Android malware have been found in the wild over the past four months.

They are FvncBot, SeedSnatcher, ClayRat, Wonderland, Cellik, Frogblight, NexusRoute, ZeroDayRAT, Arsink (and its better version, SURXRAT), deVixor, Phantom, Massiv, PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT.