Google Introduces 24‑Hour Delay for Installing Unverified Android Apps to Thwart Malware and Scams
What Happened — Google rolled out an “advanced flow” that forces a mandatory 24‑hour waiting period before users can sideload apps from developers who have not completed Google’s verification process. The change is designed to curb the spread of malicious and scam apps while preserving Android’s open‑source ethos.
Why It Matters for TPRM —
- Adds friction for threat actors who rely on unverified APKs as a delivery vector.
- Alters the risk posture for enterprises that allow employee sideloading on corporate‑managed devices.
- May impact third‑party mobile‑app vendors that depend on rapid distribution outside Google Play.
Who Is Affected — Android device manufacturers, enterprise mobility management (EMM) providers, SaaS vendors with Android client apps, and any organization that permits sideloading on corporate devices.
Recommended Actions — Review and tighten mobile‑device policies, enforce EMM controls to block or monitor unverified sideloading, communicate the new delay to end users, and assess vendor‑specific app distribution workflows for compliance.
Technical Notes — The “advanced flow” adds a 24‑hour timer after the user taps “Install” for an unverified APK; installation proceeds only after the timer expires. No new CVEs are involved. The measure targets malware, ad‑fraud, and phishing apps distributed outside Google Play. Source: https://thehackernews.com/2026/03/google-adds-24-hour-wait-for-unverified.html