Android will ban APKs from unverified developers from 2026

To counteract malicious applications і financial fraud on Android, Google has announced that it is strengthening security measures. Starting from 2026, only applications whose developers have passed the verification procedure will be allowed to be installed on certified Android devices.

This requirement applies to “certified Android devices” that have Play Protect and come with pre-installed Google apps. Similar rules were already introduced on Google Play in 2023, but now the company extends them to all installation methods — not only the official store, but also third-party markets and manual installation when the user downloads the APK file from another source.

Google compares the new approach to checking an identity card at the airport: it confirms who the “passenger” is (i.e., the developer), but does not inspect their “baggage” (the content of the app or the source from which it came).

The purpose of these measures is to make it harder for “convincing fake apps” to spread and to prevent attackers from quickly launching a new malicious program after the previous one has been blocked. In its own analysis, Google notes that the amount of malware in apps downloaded from random Internet sources is more than 50 times higher than in apps available through Google Play.

The company emphasizes that “developers will retain full freedom to distribute their apps directly through manual uploads or choose any third-party store.” For this purpose, Google is creating a new Android Developer Console specifically for developers who do not use Google Play. Students and enthusiastic developers will have a separate, simplified process, different from the one for commercial companies.

Developers who already work through Google Play have actually fulfilled most of the requirements, as the Play Console provides for similar verification. For organizations, in particular, a D-U-N-S registration ID is required. The first developers will get access to the verification procedure in October this year, and from March 2026, it will be available to everyone.

The new rules will take effect in September 2026 in Brazil, Indonesia, Singapore, and Thailand. Google explains that these are the countries most affected by fraudulent schemes with third-party applications. In these countries, from the moment of launch, any application installed on a certified Android device will have to belong to a verified developer. Starting in 2027, the requirement will become global.

Google also reports “positive initial feedback” from government agencies and partners.

• The Indonesian Ministry of Communications and Digital Technology called the approach a “balanced solution” that protects users but also preserves the openness of Android.
• Thailand’s Ministry of Digital Economy and Society praised it as a “positive and proactive step” in line with their national digital security policy.
• The Federation of Brazilian Banks (FEBRABAN) considers the initiative “an important progress in protecting users and strengthening the responsibility of developers”.

Source: 9to5google