F-Droid thinks Google's new Android verifier is malware
They say it gives Google unprecedented control over which apps you can install.

A stylized Google Android mascot. Joan Cros/NurPhoto via Getty Images.
- F-Droid calls Google’s Android Developer Verification “malware,” saying it increases Google’s control over app installs.
- Google says the system improves security by verifying developers and reducing repeat malware distribution.
- F-Droid argues it does little against malware and instead restricts Android sideloading and third-party apps.
- Open-source groups warn the policy threatens Android openness, with global rollout planned for 2026–2027.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
The open-source app store F-Droid has branded Google's Android Developer Verification (ADV) program as malware that gives Google unprecedented control over which apps users can install on their devices.
In a recent blog post, the project argued that Google's new verification mechanism goes far beyond improving Android security.
Instead, F-Droid describes ADV as "a virus" that "cannot be blocked, disabled, or removed," despite being presented as a security feature. It also accuses Google of using security as justification for increasing its control over Android's software ecosystem.
Google introduced ADV as part of a broader effort to curb Android malware. Under the initiative, developers who want their apps to be installable on certified Android devices, including apps distributed through third-party app stores or sideloaded, must verify their identities with Google.
The company has said the requirement will make it harder for malicious actors to repeatedly distribute malware under new identities. The service is already present on any device running Android 8 or later.
The wrong approach
However, F-Droid argues that ADV does little to stop malware from being distributed in the first place, since it only restricts a bad actor after they have already been caught and banned. The group says there were less invasive alternatives, including tighter Play Protect scrutiny of newly installed apps and a system of independent, user-selected verifiers, but Google chose to pursue the current program instead.
F-Droid also objects to how Google's Developer Console Terms of Service defines malware. The terms allow Google to revoke a developer's access for distributing "malware or other harmful applications" without specifying what qualifies.
F-Droid argues that this could lead Google to interpret malware as "whatever we say it means," and cites Google's past removal of an ad-blocking app after labeling it as malware.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
It also pushes back on Google's claim that adoption has been strong, noting that the reported 99% registration rate among Play developers came from auto-enrollment, not informed consent.
The F-Droid project has been one of the leading voices behind the Keep Android Open initiative, which argues that mandatory developer verification threatens Android's openness and gives Google control over what software users can install. An open letter from the initiative has been backed by more than 70 organizations, including the EFF, the ACLU, the FSF, and the FSFE.
As things stand, ADV enforcement begins September 30, 2026, in Brazil, Indonesia, Singapore, and Thailand, before expanding globally in 2027. F-Droid says it still does not know what will happen to its own platform, or to apps already sideloaded through it, once enforcement takes effect.