Google is implementing significant changes to Android’s application sideloading process, aiming to bolster security against increasingly sophisticated social engineering attacks. The new measures, slated to begin rolling out in September 2026, will restrict the installation of apps from developers who haven’t been verified by Google. Although the move is intended to protect the vast Android user base – exceeding 3 billion active devices globally – it also introduces a more complex process for users who prefer to install applications outside of the official Google Play Store. This shift comes as malicious actors increasingly leverage tactics like “email-bombing” and impersonation to gain access to devices and deploy malware, such as the A0ackdoor.
The core of the new system involves a developer verification program. Developers distributing apps outside of Google Play will be required to provide identification, submit their app signing keys and pay a $25 fee. Apps originating from unverified developers won’t be directly installable unless users navigate a deliberately cumbersome process designed to deter casual use and, crucially, provide a window for users to recognize potential manipulation. This process, detailed by Google’s Android Ecosystem President Sameer Samat, is a direct response to the growing threat of high-pressure social engineering schemes.
Navigating the New Sideloading Process
Currently, sideloading an app on Android involves toggling an “unknown sources” setting. Google’s new approach significantly alters this. The bypass for app verification isn’t readily apparent. it’s hidden within the developer options, requiring users to proactively seek it out. The steps are as follows: first, enable developer options by tapping the “build number” in the phone’s “About Phone” section seven times. Then, within “Settings > System > Developer Options,” users must locate and toggle “Allow Unverified Packages.” A confirmation prompt appears, requiring the user’s device unlock code. However, this isn’t the complete of the process.
You’ll have to wait 24 hours to bypass verification. Credit: Google
The device must then restart, and after a 24-hour delay, users can return to the “Allow Unverified Packages” menu. At that point, they can choose to “Allow temporarily” for seven days or “Allow indefinitely.” Samat explained that the 24-hour waiting period is a deliberate security measure. “In that 24-hour period, we experience it becomes much harder for attackers to persist their attack,” he said. “In that time, you can probably find out that your loved one isn’t really being held in jail or that your bank account isn’t really under attack.” This delay is intended to disrupt the urgency often employed in social engineering attacks, giving victims time to verify the situation.
The Rise of Social Engineering and Malware
The impetus for these changes stems from a marked increase in sophisticated social engineering attacks targeting Android users. These attacks often involve convincing victims to install malicious applications under duress. Recent reports, including a March 2026 advisory from Encyb, highlight a campaign leveraging Microsoft Teams and Windows Quick Assist to deliver the A0ackdoor malware. The Encyb report details how attackers use email-bombing followed by impersonation of IT support to gain remote access and deploy the malware. Google’s new measures are a direct attempt to mitigate this growing threat.
The need for enhanced security is further underscored by the sheer scale of the Android ecosystem. With over 3 billion active devices, Android represents a significant target for malicious actors. As Samat noted, for many users globally, their smartphone is their primary computing device and a repository for highly sensitive personal information. Protecting this data is paramount, and Google argues that a secure platform is essential for continued user trust and developer success.
Balancing Security and User Freedom
While the new restrictions enhance security, they also raise questions about user freedom and the ability to sideload applications for legitimate purposes. Sideloading is often used by developers testing applications, users installing custom ROMs, or those seeking apps not available in their region through the Google Play Store. Google acknowledges this and has designed the system to allow for sideloading, albeit with increased friction. Users who consistently sideload apps can select the “indefinitely” option, but even then, they must first navigate the developer options and complete the initial setup.
Samat emphasized Google’s responsibility to balance openness with security. “Over the years, we’ve evolved the platform to keep it open while also keeping it safe,” he stated. “And I want to emphasize, if the platform isn’t safe, people aren’t going to use it, and that’s a lose-lose situation for everyone, including developers.” This sentiment reflects a broader industry trend towards prioritizing security in the face of increasingly sophisticated cyber threats. The changes to Android’s sideloading process represent a significant step in that direction, aiming to protect billions of users from the growing dangers of social engineering and malware.
Google plans to continue monitoring the effectiveness of these changes and will likely adapt its security measures as new threats emerge. The company has not yet announced a specific date beyond September 2026 for the full rollout of the new sideloading restrictions, but further updates will be provided through the Android Developers website. Users should familiarize themselves with the new process to ensure a smooth transition and maintain the security of their devices.
What are your thoughts on Google’s new sideloading restrictions? Share your opinions and experiences in the comments below. And if you found this article helpful, please share it with your friends and colleagues.