Google tightens Android sideloading

Come September 2026, Android users in Singapore, Brazil, Indonesia and Thailand will find it harder to download apps from outside the Play Store. What would that mean for app developers, cybersecurity and consumer experience?

Google announced on 25 August 2025 that all app developers must be verified before their apps can be installed on certified Android devices in Singapore, Brazil, Indonesia and Thailand — a change aimed at curbing malware and scams. The rest of the world follows in 2027.
To help unpack what this means for users and the industry, Alexander Ivanyuk, Senior Director, Threat Research Unit (TRU), Acronis, shares his perspective:

Effectiveness: Will a move like this actually be effective in protecting users from downloading malware by accident, considering that they will need to fiddle with their settings to sideload apps in the first place?

Ivanyuk: This is not a silver bullet (as there is still malware on Play and ways for hackers to get through), but it is an effective safety rail. It moves the security model from relying on a user’s imperfect risk decision to a system-level enforcement based on developer accountability. It will undoubtedly prevent a number of accidental malware installations.

And yes, this is only for users who know and dare to enable “Unknown Sources” (now more granularly called “Install unknown apps”) which is a simple, one-time toggle for permission.

Openness vs. security: Android has long prided itself as being an open-source platform, in contrast with Apple, which takes a walled garden approach. Does this move actually run contrary to that spirit of freedom and openness?

Ivanyuk: The “open vs. closed” debate is often framed in idealistic terms, but in the real world, it’s about risk management. Goggle was taking steps in “closing” the Android system for years already; it is not something happening now with this new announcement.

The original definition of Android’s openness was about the ability for OEMs to customize the OS and for users to install software from outside a single curated store. It was never intended to be a free-for-all that enables massive fraud and malware campaigns. Also let’s not forget that Google is not removing the ability to sideload unverified apps entirely (though they are making it harder).

Revenue vs. security: Seeing as there are already restrictions in place for sideloading apps in Singapore, is this simply a move by Google to further curb sideloading apps that may take revenue away from them (eg, Vanced and its slew of modded apps that remove ads). Is it likely that there’ll be very little difference between the two platforms eventually with this shift?

Ivanyuk: This is about security first but of course there is a revenue factor as well. The sheer volume of financial and data-loss malware targeting Android is an existential threat to the platform’s reputation. Google’s biggest customers are OEMs (Samsung, Xiaomi, etc.). If Android becomes synonymous with “unsafe,” OEMs and users flee. Protecting the brand and ecosystem is worth infinitely more to Google than the ad revenue from a subset of users using YouTube Vanced. A secure platform attracts and retains users, which in turn attracts developers and advertisers—that’s the real business.

It is likely that Android and iOS will continue to converge on security models while remaining divergent on philosophy. To give a statement example:

iOS: “You cannot sideload. We have deemed it unsafe.”
Android: “You can sideload, but we will implement every possible barrier, warning, and now verification check to ensure you know exactly how dangerous it is before you do.”

The ability to sideload will remain, but the path will be increasingly fraught with warnings and roadblocks designed to make the average user think twice. This is the correct balance from a risk-management perspective.