Google Play tightens defenses — blocks 1.75M policy-violating apps in 2025
Google Play security update — 2025 results and what's new
Google says a reworked vetting pipeline and broader runtime screening led to fewer blocked submissions in 2025: 1.75 million apps stopped for policy violations, down from 2.36 million the year before. The company credits expanded automation, repeated post-publish revalidations and model-driven flagging for catching bad behavior earlier and deterring abusive upload attempts.
Under the revised workflow Google now applies thousands of static and runtime checks at scale — the company reports more than 10,000 individual safety signals per app — and uses generative-model outputs to accelerate anomaly detection and shorten attacker windows.
On-device protections remain a cornerstone: Play Protect identified over 27 million new apps with malicious traits in 2025 and blocked roughly 266 million risky sideload attempts, helping protect an estimated 2.8 billion Android endpoints across 185 markets.
Complementing those detections, Google is reshaping how sideloading works: the company introduced verification-focused controls that surface targeted warnings and verification gates before external installs, while preserving an explicit bypass for experienced users. The controls are being rolled out by region rather than globally, and include differentiated developer account tiers — a lighter path for students and hobbyists alongside fuller verification for broader distribution — intended to reduce casual misuse without fully eliminating developer flexibility.
Google says these intermediary gates will both raise the cost of abuse for opportunistic actors and create new telemetry streams to prioritize responses to suspicious distribution patterns. The approach is designed to reduce the attack surface that relies on uninformed sideloading, though Google acknowledges power users and advanced operators retain the ability to proceed if they accept the risk.
The store also tightened controls targeting review manipulation and data-exposure risks: automated systems removed about 160 million fraudulent ratings and curtailed roughly 255,000 apps from obtaining excessive access to sensitive user data — a pronounced drop from prior-year counts.
Google has added developer verification steps, pre-publication checks and mandatory tests to reduce avenues for malicious actors. While these measures aim to help legitimate developers ship securely, smaller devs that rely on direct installs for testing or educational distribution may face friction and should prepare alternative signing and distribution workflows.
All of this occurs amid regulatory scrutiny, particularly in Europe, where authorities have raised questions about Google’s payment and platform rules. Observers will watch whether the additional controls and staged sideloading changes satisfy regulators without unduly centralizing platform control.
- Coverage: protections now reach about 2.8 billion Android devices across 185 markets.
- Sideloading changes: verification gates, targeted warnings and phased regional rollout add friction for typical users while preserving an escape path for advanced users; lighter account tiers aim to limit developer burden for hobbyist distributions.
- Residual risk: sophisticated supply-chain compromises, obfuscated fraud and alternative distribution channels remain areas to watch despite lower overt abuse.
Google frames the 2025 results as evidence that automation plus human review and new sideloading controls compress attacker windows, raise distribution costs for bad actors, and improve baseline safety for users and developers. Continued investment in model-driven defenses, cross-channel telemetry and developer tooling will be required as threats evolve.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
ByteDance Apps Blocked from US App Stores as App-Store Geofencing Tightens
Apple has restricted downloads and updates for several ByteDance apps effective 19 January 2025, coinciding with a proposed US divestment timeline and regulatory pressure. This move accelerates platform-level geofencing and raises new strategic risks for cross-border app portfolios, supply-chain fragmentation, and app-market gatekeepers.
Android Introduces Accountability Layer for Sideloaded Apps
Google will add mandatory verification steps to apps installed outside the Play Store, creating a higher-friction process that warns users while preserving an expert bypass. The change pairs stricter developer verification with limited-distribution accounts for hobbyists, aiming to reduce malware, scams, and fraud across Android devices.
Investigation Finds App Stores Hosting Scores of AI ‘Nudify’ Tools, Exposing Policy Gaps
An industry watchdog located dozens of AI-powered apps in Apple and Google app stores that convert ordinary photos into sexualized images, prompting staggered removals, suspensions and conflicting counts from stakeholders. The episode dovetails with separate regulatory scrutiny of large generative systems — including an EU inquiry into xAI’s Grok and nonprofit findings that flagged weak age and safety controls — underscoring rising demands for pre-deployment risk assessments, stronger store admission controls and cross-border data safeguards.
Google GTIG: Zero‑Day Exploits Shift Toward Enterprise Targets in 2025
Google’s GTIG logged 90 exploited zero‑days in 2025 and a record portion hit enterprise infrastructure; commercial spyware vendors and OS flaws drove much of the shift. Field cases — including a long‑running WinRAR exploit and rapid weaponization of disclosed appliance flaws — illustrate how automation and exploit brokerage compress the timeline from discovery to impact.
Apple Tightens App Store Access with Age Verification Measures
Apple has activated platform-level age checks and published a Declared Age Range API to help developers comply with new local laws; simultaneously, Brazil is preparing a federal decree that would extend mandatory certified age attestations across storefronts, content platforms and the ad ecosystem, forcing a design choice between identity-based checks and privacy-preserving attestations. The combined shift accelerates platform-centered enforcement, raises privacy and compliance-cost risks, and is likely to spur a market for cryptographic age‑attestation services.
Google trims app commissions and opens Android to rival billing
Google will cut default app commission rates and permit alternate billing and third-party app stores on Android, shifting revenue flow across the mobile ecosystem. This reduces platform fees and accelerates competition among payment processors and store operators.
Apple and Google Commit to App‑Store Overhaul After UK Regulator Steps In
Britain’s competition authority has secured binding commitments from Apple and Google to make their mobile app marketplaces more transparent and to open selected platform capabilities to outside developers. The move aims to boost competition and developer choice, but its real effect will hinge on how the changes are implemented and enforced without undermining user safety.
Google Play ties South Korea app listings to local crypto registration, threatening offshore exchanges’ availability
Google is requiring proof of South Korean FIU registration for crypto exchange and custodial wallet apps on Google Play in South Korea, effective Jan. 28, risking download blocks for apps that cannot demonstrate compliance. The change enforces Google’s existing global crypto app standards locally and may squeeze foreign platforms that lack full domestic licensing and operational setups.