One of the most common criticisms Android users have of Apple’s iPhone is that they do not allow any side loading of apps. Mobile apps on iPhone can only be downloaded from Apple’s app store, ensuring Apple has full control over its ecosystem. While this may somewhat change in the future due to European Union regulation, Android’s ecosystem has always been an open platform. Anyone can open an app store and any user can “sideload” apps, install mobile apps from which source they choose. While this approach has obvious consumer benefits, it also introduced risk, with more malicious software available on Android than on iPhone. In addition to the usual suspects of malware and Phishing scams, the open nature of the Android platform means that anyone is able to create an app masquerading as a popular brand, without the brand owner’s authorization. There are fake “official apps” for services, apps that utilize third party services without their authorization (“You can use this app to online bank in Chase, Bank of America and Wells Fargo, all in one!”), and other forms of unauthorized brand use. All these apps are generally called “Rogue Apps” and organizations actively monitor official and third party app stores in order to detect such incidents, as part of their brand protection activities (shameless plug: we also offer such monitoring as part of our service).

A few days ago, Google announced that it will begin to require identity verification for all Android app developers, regardless of where their apps are hosted, starting next year. Users who download an app from a developer whose identity has not been verified will not be able to install it, regardless from which app store the app was downloaded from. Once a developer is identified, they can upload their app to whichever store they want, ensuring that the Android platform remains open. This move seems to be motivated by improving security and reducing the amount of malicious apps on their platform. Google claimed that more than 50 times more malware was detected in sideloaded apps than compared to Google Play, demonstrating that developer identification does work in reducing the risk.

While apps that fall into the “Rogue” category do not necessarily contain malware or may even be malicious, as many of them fall into a gray area of developers simply not asking for permission to use a third party brand, this new requirement by Google should still impact the “Rogue App” space as a whole.

Requiring developers to identify themselves will most likely dramatically reduce certain types of Rogue apps, specifically ones that more brazenly impersonate another brand. For example, the numbers of fake “official” apps would most likely be dramatically reduced, assuming that Google does not allow developers to impersonate known third parties. These apps have been observed for popular online services that have little presence in the mobile space (i.e. services that do not have an official mobile app available). Third parties would then create an app-wrapper for a browser, loading the official website of the service, while placing banners at the top or bottom in order for the third party to profit from someone else’s hard work building the brand. Additional Rogue Apps that will most likely see a dramatic decrease would be ones used a sophisticated Phishing attack, with their true purpose to collect customer credentials while impersonating a legitimate brand.

As for other forms of Rogue Apps, it depends on Google policies. However, rogue apps are not going away, considering that we still see plenty of them on Google Play itself, where developer verification is required since 2023. That is not criticism of Google, but an emphasis that Rogue Apps aren’t always blatantly malicious and Google shouldn’t necessarily serve as a court of what content is or is not allowed on the platform. The fact that Rogue Apps do exist in Google Play is an indication that these new policies are not going to eliminate the issue, but it would definitely help in reducing the more direct and blatant incidents. That in itself should be a major win, protecting consumers and organizations alike. Organizations will still have to continue monitor official and third party app stores to ensure that none of the grey-area incidents, which may still warrant action by the brand owners, will be missed.