THREATNOIR
Subscribe
Back to Feed
PolicyMar 20, 2026

Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams

Google implements 24-hour wait for unverified Android app sideloading to combat malware.

Read at source

Summary

Google announced a new 'advanced flow' requiring a mandatory 24-hour waiting period before users can sideload apps from unverified developers on Android, aiming to reduce malware and scams while balancing openness and safety. The measure includes additional friction points (developer mode confirmation, biometric re-authentication, restart requirement) and comes alongside a developer verification mandate that has drawn criticism from over 50 organizations including F-Droid, EFF, and Tor Project over privacy and surveillance concerns. Google is also introducing free 'limited distribution accounts' for hobbyists and students to reduce barriers to entry, with both features launching in August 2026.

Full text

Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Ravie LakshmananMar 20, 2026Data Privacy / Mobile Security Google on Thursday announced a new "advanced flow" for Android sideloading that requires a mandatory 24-hour wait period to install apps from unverified developers in an attempt to balance openness with safety. The new changes come against the backdrop of a developer verification mandate the tech giant announced last year that requires all Android apps to be registered by verified developers to be installed on certified Android devices. The move, it added, was done to flag bad actors faster and prevent them from distributing malware. This also includes potential scenarios where cybercriminals trick unsuspecting users who sideload such apps into granting them elevated privileges that make it possible to turn off Play Protect, the anti-malware feature built into all Google-certified Android devices. However, the mandatory registration requirements have been met with criticism from over 50 app developers and marketplaces, including F-Droid, Brave, The Electronic Frontier Foundation, Proton, The Tor Project, Vivaldi, who say they risk creating friction and barriers to entry, and raise privacy and surveillance concerns in the absence of clarity about what personal information developers must provide, how this data will be stored, secured, and used, and if it could be subject to government requests or legal processes. As a way of quelling some of these thorny issues, Google has emphasized that the newly developed advanced flow allows power users to maintain the ability to sideload apps from unverified developers with a one-time process that requires them to follow the steps below - Enable developer mode in system settings. Confirm that they are taking this step of their own volition and are not being coached. Restart the phone and re-authenticate so as to prevent a scammer from monitoring what actions a user is taking. Wait for a 24-hour period and confirm that they are really making this change with biometric authentication or device PIN. Install apps from unverified developers once users understand the risks, either indefinitely or for a period of seven days. "In that 24-hour period, we think it becomes much harder for attackers to persist their attack," Android Ecosystem President, Sameer Samat, was quoted as saying to Ars Technica. "In that time, you can probably find out that your loved one isn’t really being held in jail or that your bank account isn’t really under attack." Google also said it plans to offer free "limited distribution accounts" that let hobbyist developers and students share apps with up to 20 devices without having to "provide a government-issued ID or pay a registration fee." It's worth noting that the aforementioned process does not apply to installs via the Android Debug Bridge (ADB). Limited distribution accounts for students and hobbyists, as well as advanced flow for users, will be available in August 2026, before the new developer verification requirements take effect the month after. "We know a 'one size fits all' approach doesn't work for our diverse ecosystem," Google said. "We want to ensure that identity verification isn't a barrier to entry, so we’re providing different paths to fit your specific needs." The development coincides with the emergence of a new Android malware called Perseus that's actively targeting users in Turkey and Italy with an aim to conduct device takeover (DTO) and financial fraud. Over the four months, at least 17 Android malware families have been detected in the wild. They include FvncBot, SeedSnatcher, ClayRat, Wonderland, Cellik, Frogblight, NexusRoute, ZeroDayRAT, Arsink (and its improved variant SURXRAT), deVixor, Phantom, Massiv, PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Android, cybersecurity, data privacy, Google, Malware, mobile security, Threat Intelligence Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

  • malware — Perseus
  • malware — FvncBot
  • malware — SeedSnatcher
  • malware — ClayRat
  • malware — Wonderland
  • malware — ZeroDayRAT
  • malware — TaxiSpy RAT
  • malware — BeatBanker
  • malware — Oblivion RAT