Google's Developer ID Check Won't Stop Malware. Here's Why.
Google announced that Android developers will soon need to verify their identity before publishing apps on the Play Store, with enforcement beginning in September in select countries and a global rollout to follow. The move is framed as a crackdown on anonymous bad actors distributing harmful apps. It sounds like common sense. It is also, in the ways that matter most, a solution aimed at the wrong problem, one that will impose real costs on the developers who can least afford them while doing surprisingly little to stop the sophisticated threat actors who actually make Android's malware ecosystem dangerous.
The Long Road to Accountability Theater
Google's relationship with developer accountability on Android has been a slow, reluctant evolution. When the Android Market launched in 2008, the entire premise was openness. A $25 registration fee and a Gmail address were all you needed. Apple charged $99 per year and required tax documentation from day one. Google positioned its low barrier as a feature, not a bug, a democratizing force that let anyone ship software to a billion devices.
That philosophy held for over a decade, even as the consequences became impossible to ignore. In 2020, Upstream's research identified over 29,000 malicious apps on the Play Store in a single year. Google's own transparency reports have acknowledged removing hundreds of thousands of policy-violating apps annually. The company responded with incremental technical measures: Google Play Protect scanning in 2017, enhanced app review processes in 2019, the Data Safety section in 2022, and tighter SDK requirements throughout 2023 and 2024.
What Google consistently avoided was the one thing Apple had done from the start: requiring developers to prove they are real people or registered businesses. The reason was strategic. Android's market share, particularly in Asia, Africa, and Latin America, was built partly on the backs of solo developers and tiny studios who would never have cleared Apple's bureaucratic hurdles. Raising the barrier to entry on the Play Store risked shrinking the app catalog that made Android competitive in those markets.
The September 2026 deadline marks the end of that era. But the timing is not primarily about security. It is about regulation.
Regulation Is the Real Driver, Not Malware
The Digital Markets Act in the European Union, the UK's Online Safety Act, India's proposed Digital India Act, and South Korea's revised Telecommunications Business Act all share a common thread: they hold platform operators increasingly liable for the content distributed through their systems. The era of "we're just a platform" is over in most major jurisdictions, and Google's legal exposure grows every quarter that anonymous developers can publish apps to billions of devices without so much as a phone number on file.
Google's announcement carefully targets "select countries" first, a phrasing that almost certainly maps to the jurisdictions where regulatory pressure is most acute. The EU's DMA requires gatekeepers to maintain transparent and fair conditions for business users, which practically demands knowing who those business users are. India's CERT-In directives already require platforms to be able to identify and trace the originators of harmful content within 72 hours. Google cannot comply with these mandates if developers are registered under disposable email addresses.
This is not cynicism. It is a recognition that platform companies rarely impose friction on their own developer ecosystems out of pure altruism. The security framing is convenient because it makes regulatory compliance look like consumer protection. Both things can be true simultaneously, but understanding which one is driving the timeline matters for predicting how aggressively the policy will actually be enforced.
Why Identity Verification Misses the Real Threat
Here is the contrarian case that the security community has been making for years, and that the press coverage of Google's announcement has largely ignored: the most dangerous actors on the Play Store are not anonymous. They are sophisticated operations that already have verified identities, or can trivially obtain them.
The Joker malware family, which has been one of the most persistent threats on Android since 2017, operates through developer accounts that are purchased, stolen, or created using real but compromised identity documents. Researchers at Check Point and ThreatFabric have documented how malware operators maintain networks of dozens of developer accounts, rotating through them as individual accounts get banned. Requiring a government ID to register does not stop someone who already has a stack of stolen government IDs or who can recruit money mules to register accounts on their behalf.
The same pattern holds for the Sharkbot banking trojan, the Anatsa malware family, and the Goldoson SDK supply chain attack that compromised over 60 legitimate apps in 2023. In each case, the developers either were legitimate companies whose apps were compromised through third-party SDKs, or were criminal operations sophisticated enough that identity verification was a trivial obstacle.
Compare this to the threat that identity verification does address: low-effort copycats, spam apps, and the kind of adware-laden flashlight apps that characterized the Play Store's worst years. These are nuisance-level threats. They are annoying. They erode trust. But they are not the attacks that drain bank accounts, exfiltrate corporate credentials, or conduct state-sponsored surveillance. Google's existing automated scanning already catches the vast majority of these low-tier threats, and the ones that slip through are typically removed within days of being flagged.
The uncomfortable truth is that identity verification optimizes for the problem Google has mostly already solved, while doing little about the problem that remains genuinely hard.
The Cost Falls on Indie Developers and the Global South
Every new compliance requirement imposes costs, and those costs are not distributed equally. A developer at a Fortune 500 company or a well-funded startup will barely notice. They already have registered business entities, legal departments, and corporate documentation. The developer who feels this most acutely is the solo builder in Lagos, Dhaka, or Jakarta who makes a living from a handful of utility apps and has never incorporated a business.
Google's announcement does not yet specify what forms of identification will be accepted globally, and this is where the policy will succeed or fail. In many developing countries, government-issued identification is inconsistent, name transliteration between scripts creates matching problems, and postal addresses, the backbone of business verification, are unreliable or nonexistent. The W3C's work on decentralized identity and the challenges documented by the World Bank's ID4D initiative make clear that "just verify your identity" is a simple instruction with extraordinarily complex global implementation.
Apple's experience is instructive. The App Store's D-U-N-S number requirement for organization accounts has been a persistent barrier for developers in countries where Dun & Bradstreet's coverage is thin. Apple eventually created workarounds, but the process still takes weeks in some regions and has been documented as a reason why the iOS app ecosystem is disproportionately dominated by developers in North America, Europe, and East Asia.
If Google replicates this pattern, the outcome is predictable: the Play Store's app catalog will shrink in exactly the markets where Android's market share is highest. Android holds over 80% of the mobile market in India, over 75% in Brazil, and over 85% in most of Sub-Saharan Africa. These are precisely the markets where developer verification is hardest to implement equitably.
The risk is not that these developers disappear. The risk is that they move to alternative distribution channels, sideloading, third-party app stores, or direct APK distribution, where there is no review process at all. A policy designed to make the Play Store safer could inadvertently make the broader Android ecosystem less safe by pushing developers and users outside the one distribution channel that has any meaningful security infrastructure.
What This Means for the Platform Power Debate
There is a deep irony in the timing of this announcement. Google is simultaneously fighting an antitrust case in which the DOJ has argued that Google's control over Android app distribution constitutes an illegal monopoly, and the company lost its appeal in the Epic Games case. The court ordered Google to open up the Play Store to competing app stores and to stop imposing anti-competitive conditions on developers.
Developer identity verification strengthens Google's gatekeeper position at exactly the moment when regulators and courts are trying to weaken it. If publishing on the Play Store requires government-verified identity and competing stores do not, Google can argue that its distribution channel is inherently safer, a justification for the very bundling and default-setting practices that antitrust enforcers want to dismantle.
This is not a conspiracy. It is incentive alignment. Google's security team genuinely wants to reduce malware. Google's legal team genuinely wants to comply with the DMA. Google's business team genuinely benefits from any policy that makes the Play Store a more defensible monopoly. All three interests converge on developer verification, which is precisely why the policy is moving forward now after fifteen years of Google arguing it was unnecessary.
Founders and developers building on Android should watch carefully for how verification requirements interact with the new third-party app store mandates. If alternative stores are required to implement equivalent verification, the barrier to entry for the entire Android ecosystem rises uniformly, and Google's advantage as the incumbent with the most mature verification infrastructure becomes significant. If alternative stores are not required to match, they become the path of least resistance for developers who cannot or will not verify, creating a two-tier ecosystem split along lines of regulatory compliance.
What Comes Next
Three predictions for the next eighteen months.
First, Google will implement a tiered system rather than a single verification standard. Individual developers will likely face lighter requirements (phone number, government ID) while organization accounts will need business registration documents. This mirrors Apple's individual versus organization split and is the only way to maintain developer access in markets with weak business registration infrastructure. Expect this tiered approach to be announced before the September deadline.
Second, the verification requirement will accelerate the consolidation of the Android app ecosystem around larger publishers. Small developers who clear the verification hurdle will find that the reduced competition from departed anonymous developers benefits them. But the trend line points toward a Play Store that looks more like the App Store: fewer apps, higher average quality, dominated by professional studios and well-funded indie developers. The long tail of experimental, quirky, single-purpose apps that once defined Android will thin considerably.
Third, and most importantly, malware on the Play Store will not meaningfully decline as a result of this policy. The sophisticated actors will adapt within weeks. The policy's real impact will be measurable in regulatory compliance metrics, developer demographics, and antitrust arguments. Google will cite the reduction in removed apps as evidence of success, but the reduction will primarily reflect fewer submissions rather than fewer threats. The apps that get through verification and still turn out to be malicious will be just as dangerous as before, because identity verification is a gate, not a wall, and the people you most want to keep out are the ones best equipped to forge a key.
Google's developer verification is not a bad policy. It is an overdue one that addresses a real, if overstated, problem. The mistake is in believing, or asking users to believe, that knowing a developer's name makes their code any safer. The hard work of Android security remains what it has always been: runtime analysis, permission enforcement, SDK auditing, and the unglamorous, unannounced, deeply technical work of catching malicious behavior after it passes every identity check in the world.