Google is preparing a significant change to Android sideloading security: a new advanced flow that enforces a mandatory 24-hour waiting period before users can install apps from unverified developers. The company presents this as an attempt to preserve Android’s open ecosystem while strengthening protection against rapidly growing mobile malware and social engineering attacks.
Advanced Flow: Balancing Android Openness with Stronger App Security
The new sideloading flow is introduced alongside Google’s previously announced plan for mandatory developer identity verification for Android applications. Once these rules are fully rolled out, certified Android devices will only be able to install software from developers whose identities have been verified by Google.
According to Google, tying apps to verified developer identities should make it easier to trace malicious actors, shut down fraudulent accounts, and reduce the circulation of harmful apps. This is especially relevant in cases where attackers repeatedly create new accounts to distribute banking trojans or spyware.
A particular concern for Google is the widespread use of social engineering to convince users to manually install APK files (sideloading) and grant them extensive permissions. In some attack chains, users are manipulated into disabling or bypassing Google Play Protect—Android’s built-in malware protection on certified devices—creating an opening for further compromise and financial fraud.
How the 24-Hour Install Delay Disrupts Social Engineering Attacks
Under the new advanced flow, users will still be able to install apps from unverified developers, but they must first complete a one-time configuration and then wait 24 hours before the installation can proceed. From a security perspective, this directly targets one of the most effective tools in social engineering: the manufactured sense of urgency.
Samir Samat, President of Android Ecosystem, emphasized that this pause is designed to give users time to validate alarming claims such as “your bank account is blocked” or “your relative is in immediate danger.” Removing instant installation makes it harder for attackers to push victims into impulsive decisions, which are often critical to the success of malware campaigns distributed via SMS, messengers or phishing sites.
Crucially, the new sideloading delay will not apply to installations via Android Debug Bridge (ADB). This exception preserves a fast, flexible workflow for developers, testers, and security researchers, while focusing protective measures on regular users, who are more likely to be targeted by social engineering schemes.
Developer Identity Verification and Limited Distribution Accounts
Google’s requirement for developer identity verification has already drawn substantial criticism from more than 50 organizations, including F-Droid, Brave, the Electronic Frontier Foundation, Proton, The Tor Project and Vivaldi. Their concerns center on potential barriers to entry for small and independent developers as well as privacy and data protection risks.
Criticism from Privacy-Focused Projects and Alternative App Stores
Opponents highlight uncertainty around which personal data will be collected, how it will be stored and secured, and under what conditions it might be shared. There are also questions about whether verified identity data could be requested by governments or law enforcement, which is particularly sensitive for projects that prioritize anonymity, circumvention tools or privacy-preserving applications.
In response, Google has announced free limited distribution accounts aimed at students and hobbyist developers. These accounts will allow apps to be shared with up to 20 devices without submitting identity documents and without paying a registration fee. This model is intended to support learning, experimentation and small-scale testing without completely blocking non-commercial participation in the Android ecosystem.
Both the advanced sideloading flow for users and the limited distribution accounts for developers are scheduled to become available in August 2026. Full enforcement of the new developer verification requirements is planned for one month later, giving alternative app stores and development teams time to adjust.
Android Malware Surge: Perseus and Emerging Banking Trojans
The policy shift comes against a backdrop of intensifying Android malware activity. Security researchers have identified a new family of Android malware called Perseus, currently targeting users in Turkey and Italy. Perseus is designed for device takeover (Device Takeover, DTO), enabling attackers to hijack banking sessions, steal credentials and perform unauthorized financial transactions.
Over the last four months alone, at least 17 distinct Android malware families have been observed in the wild, including FvncBot, SeedSnatcher, ClayRat, Wonderland, Cellik, Frogblight, NexusRoute, ZeroDayRAT, Arsink and SURXRAT, deVixor, Phantom, Massiv, PixRevolution, TaxiSpy RAT, BeatBanker, Mirax and Oblivion RAT. Many of these threats focus on banking fraud, SMS interception, remote device control and bypassing security controls.
Industry reports have consistently shown that apps installed from outside official stores are significantly more likely to contain malware than those downloaded from Google Play. The current wave of threats once again confirms that sideloading remains one of the primary vectors for compromising Android devices, often via phishing messages, fake bank websites, and instant messaging campaigns urging users to “urgently install a security app” or “critical banking update.”
Against this background, users should reassess their security practices: prefer installing apps only from trusted sources, avoid disabling Google Play Protect unless absolutely necessary, treat any “urgent” request to install an APK with extreme caution, and keep devices and apps updated. Developers and alternative app stores should proactively study the upcoming developer verification requirements and experiment with limited distribution accounts to minimize disruption and maintain accessibility for their communities. The new 24-hour sideloading delay will not eliminate Android malware, but it raises the cost of social engineering attacks and gives users valuable time to question and verify before they tap “Install.”
