Google limits the Android sided application to counter malware, but keeps the back door for advanced users.

According to external media TheVerge, Google is planning a major overhaul of the Android system in 2026, aimed at countering malicious software throughout the facility ‘ s ecology. Starting in September this year, Google will limit the sideloading of applications through its Developer Certification Scheme, when users will no longer be able to install uncertified developers’ applications. However, Sameer Sammat, the Managing Director of Andre Ecosystems, disclosed to Ars Technica that Google had been receiving feedback, culminating in the introduction of a new solution, Advanced Process (advanced flow), which allowed senior users to skip application validation.

Under the new side-loading restrictions, Androids will only be installed for applications from certified developers. To obtain certification, developers who publish applications outside Google Play must provide identification, upload a copy of the signature key and pay $25. The process seems rather cumbersome for app developers who do not want to be subjected to Google interventions. The new Advanced Process feature is hidden in the Developer Settings. In the current side-loading process, the Anjo system alerts the user to the ” unknown source ” switch in the settings and provides guidance for the user to open, while the process bypassing the validation will not be presented to the user on its own initiative. In his blog, Matthew Forsythe, Director-General of Applied Safety and Management of Google Products, explains: 1. Developer options enabled in system settings:Activate this function is simple. This prevents a “one key bypass” loophole in a mist or high pressure scam.Confirm that you were not induced: Conduct a quick check to ensure that no third person induces you to turn off security protection. While high-level users know how to review applications, fraudsters often pressure victims to close security protection measures.3. Re-launch mobile phones and re-validate:This would cut off any remote access or ongoing calls that fraudsters might use to monitor user operations.Please verify once again after the “cooling period” of protection:A one-time 24-hour waiting period, after which you can confirm by biometric authentication or the device PIN code that you made this change. Fraudsters rely on creating a sense of urgency, a step that will break their plans and leave you enough time to think.5. Installation applications:Once you have confirmed that you are aware of the risks, you can install applications from uncertified developers, and you can opt for temporary (7 days) or indefinite. For security reasons, you can still see a warning from an uncertified developer for application, but you can click ” Continue installation ” .

Mir Sammat explained that it was necessary to establish a 24-hour calm period in order to combat the increasing high-pressure attacks: “We believe that during these 24-hour calm periods it is very difficult for the attackers to sustain their attacks. In the meantime, you will find that there were no accidents and no attacks on your bank accounts.” Users who are convinced that they do not need Google Validation to influence any APK on their side need not wait until they encounter uncertified applications to start the process. The developer option can be closed only once on a mobile phone. Mil Sammat stated that Google had a sense of responsibility for the world’s Andre users and that, unlike in the past, there were more than 3 billion active devices. “For many people around the world, mobile phones are their only computer and store the most private information. Over the years, we have continuously improved the platform to ensure security while remaining open. I would like to stress that if the platform is not safe, users will not use it, and this is a loss for all, including developers.” What are the specific security measures? Google maintains that there is no interest in the content of the applications and that it does not check them on its own initiative when the developers are registered. This relates only to identification, i.e. the user should be aware that the application is not a counterfeit product or from a known malicious software developer. If proven developers distribute malicious software, their accreditation will be revoked. What’s malware? According to Mir Samat, in the context of the developer’s certification, malicious software refers to an installation package “to cause unintended damage to user equipment or personal data”. Thus, Rookit, while a malicious software, does not constitute a malicious software if the user deliberately downloads Rootkit in order to obtain root privileges. Similarly, the replacement of YouTube clients with Google advertising and functional limitations would not lead to certification problems. But this is only a macro-definition, and Google has not commented on any specific application.

Google is carefully advancing the validation function, and some details remain unclear. Privacy advocates are concerned that certification will create a database that exposes independent developers to legal proceedings. Mir Samat stated that Google would indeed object to improper judicial orders. The company further indicated that it had no intention of creating a list of permanent developers vulnerable to legal requirements. Currently there is no need to worry about the developers’ certification for Andre users in most parts of the world, but from September this year the certification measures will be implemented first in Brazil, Singapore, Indonesia and Thailand. As impostor fraud and seduction schemes are more common in these areas, Google has chosen to pilot them here and to replicate them globally next year. Google stressed that the “high-level process” would be ready before its initial implementation in September. Google claims that users are 50 times more likely to encounter malicious software outside Google Play than in Play. According to Mill Sammat, an important reason for this large gap was Google ‘ s decision in 2023 to start the process of identifying developers at Play stores, which provides a framework for the universality of the process of identifying developers. While Google may have promoted the identification policy for control purposes, the installation team did feel regulatory pressure from areas where there was a proliferation of malicious software to address platform security issues. In an interview with Ars Technica, Mir Samat said: “In many countries, there are voices that believe that if this does not make ecology safer, regulatory action may be needed to strengthen the control of such products. I believe that many do not fully realize that this is a real security concern in many countries.” Google has begun to push the global equipment to the certifier, which is integrated into the Android 16.1 system released at the end of 2025. Ultimately, certifiers and “advanced processes” will appear on all currently supported Android equipment. User interfaces will also be consistent, and Google will provide all components and screen warnings.