Google is implementing stricter sideloading requirements to combat scams, but critics argue the company should prioritize addressing persistent malware vulnerabilities within the official Google Play Store instead.

Key points

• Starting in August, Google will introduce a 24-hour security delay and additional verification steps for sideloading apps from unverified sources.
• Zscaler researchers identified 239 malicious apps on the Play Store that accumulated 42 million downloads between June 2024 and May 2025.
• A separate 2025 report by Satori Threat Intelligence found 224 malicious apps on the Play Store with 38 million downloads used for ad fraud.
• Malicious apps frequently bypass Google’s security filters by posing as legitimate utilities, games, or brand clones.
• The Play Store’s data safety section relies on developer self-disclosure, which often fails to accurately reflect app permissions or potential security risks.

The Play Store is widely perceived as a trusted environment, leading users to lower their defenses compared to sideloading from external websites. By focusing on sideloading friction rather than internal vetting, Google risks leaving millions of users vulnerable to malware that carries an implicit stamp of approval from the official storefront.