F-Droid argues that malware should be defined by whether software runs against the user's interest, not by what a binary does on-device. A mandatory global identity registry enforced at the OS level by a single commercial gatekeeper meets that bar, because it strips users of the right to run anonymous, source-available software on hardware they own.
F-Droid states it cannot comply without either forcing ~4,000 upstream developers to register their legal identities with Google, or dropping them from the index — both incompatible with a project premised on anonymous, reproducible builds. With rollout starting in Brazil, Indonesia, Singapore, and Thailand in September 2026 and going global in 2027, the FOSS Android community has roughly twelve months before it must retreat to alternative ROMs like GrapheneOS, CalyxOS, and LineageOS.
F-Droid frames Google's stated rationale — fighting financial fraud and stalkerware — as insufficient cover for the actual mechanism: a global identity gate on the right to publish software, controlled by a company with a direct commercial interest in the outcome. Because the requirement extends beyond the Play Store to sideloaded APKs and rival stores like Aurora and Amazon Appstore, the effect is centralizing distribution authority under Google rather than solving the stated abuse problem.
On July 1, F-Droid — the open-source Android app repository that has been running since 2010 — published a post titled *'A new Android malware from Google'* on its official blog. The 334-point Hacker News thread that followed within hours is not really about a specific APK. It is about F-Droid formally taking the position that Google's Android Developer Verification program, first announced in 2025 and now entering rollout, is itself the malware.
The program, in short: any developer who wants their app to install on a Google-certified Android device — which is roughly every phone sold outside China — must register a verified legal identity with Google. This applies not only to Play Store submissions but to sideloaded APKs and third-party stores like F-Droid, Aurora, and Amazon Appstore. Google's stated rationale is fighting financial fraud and stalkerware. F-Droid's counter-argument is that the mechanism is a global identity gate on the right to publish software, controlled by a single company with a business interest in the outcome.
F-Droid's post makes the structural argument explicit: 'malware' is not defined by what a binary does on your phone, it is defined by whether software runs against the user's interest — and a mandatory identity registry, enforced at the OS level, meets that bar. The advisory goes on to note that F-Droid itself cannot comply without either forcing every one of its ~4,000 upstream developers to register with Google, or dropping them from the index. Neither is a viable path for a project whose entire premise is anonymous, reproducible, source-available software.
The timing is not accidental. Google's verification rollout starts in Brazil, Indonesia, Singapore, and Thailand in September 2026 and goes global in 2027. That gives the FOSS Android ecosystem roughly twelve months to work out whether it has a future on stock hardware, or whether it retreats to GrapheneOS, CalyxOS, LineageOS, and a shrinking pool of unlocked devices.
Compare this to what happened on iOS. Apple has required developer identity since 2008, and the practical result is that no meaningful anonymous-development scene exists on iPhone outside of jailbreaks. The AltStore / third-party marketplace concession in the EU applies only because of the DMA, and even there Apple requires a €1M letter of credit from marketplace operators. What F-Droid is warning about is Android converging on the iOS distribution model — one identity registry, one gatekeeper, no exceptions — while still being marketed as 'open.'
The community response has been sharper than usual. GrapheneOS, whose developers have historically been careful about tone toward Google, published a technical breakdown last week arguing the enforcement layer lives in Play Protect and cannot be cleanly disabled on certified devices without breaking Play Integrity attestation — which in turn breaks banking apps, Google Wallet, and increasingly, transit passes. The EFF called it 'the end of general-purpose computing on the dominant mobile OS.' Even Google engineers on Mastodon have been noticeably quiet.
The most uncomfortable comparison in the F-Droid post is to code-signing certificates on Windows. Microsoft has required them for kernel drivers since Vista, and the practical result is a well-documented gray market in stolen or straw-buyer'd signing certs used by actual malware authors. If the past fifteen years of code-signing enforcement are any guide, mandatory identity gates do not stop determined attackers — they only stop hobbyists, researchers, and anonymous maintainers of legitimate software.
If you maintain an Android app, an SDK that ships inside other people's Android apps, or a library that gets vendored into APKs, the practical question is straightforward: are you willing to attach a verified legal identity — passport or corporate registration, plus a physical address Google can subpoena — to every piece of Android code you publish? For most solo maintainers and academic security researchers, the answer is going to be no. Expect a wave of Android-side archival deletions, README notices pointing to GitHub-only source distribution, and a hard pivot toward 'build it yourself from source, we won't be signing anything.'
If you run a company that ships an Android app, the impact is smaller but non-zero. Your existing Play Console account satisfies the requirement, but every third-party contractor who touches your release keystore now needs to be on the same registry, and your SDK vendors need to be too. Audit your dependency graph now — if you pull in an obscure OSS library whose maintainer refuses to register, you inherit their distribution problem.
For security teams, the second-order effect is worse than the first: when anonymous researchers can no longer publish proof-of-concept exploits or defensive tools as installable APKs, the entire Android threat-research ecosystem shifts to platforms Google does not moderate — private Telegram channels, Chinese app stores, and darknet forums. The people who need the anonymity most — dissidents, security researchers in adversarial jurisdictions, whistleblower-tool developers — are exactly the ones the policy pushes off the platform.
The next twelve months will be a slow-motion referendum on whether 'open' Android survives as anything other than a marketing word. F-Droid's advisory is a shot across the bow, not a call to arms — they've been careful not to encourage regulatory intervention, probably because they know how EU device certification mandates have gone historically. The most likely outcome is a bifurcation: stock Android becomes a signed-identity walled garden functionally indistinguishable from iOS, and a small but committed GrapheneOS / LineageOS ecosystem absorbs the FOSS refugees. If you've been putting off buying a Pixel 8 to flash GrapheneOS onto, the window on used-market unlocked hardware is closing faster than you think.
Android users need to switch to Graphene.Someone needs to create a Linux based mobile OS foundation - Google's domination is contrary to many large companies interests, and if Meta and many other such companies were approached, they may well donate large sums of money in their own strategic int
I understand the frustration (I'm an avid fdroid user across many many devices). But this article comes off as childish with the virus/trojan/"malware vendor".With such an article, many (including perhaps google) get the ammo to disregard what fdroid says, by branding them a
I use Android because it lets me install whatever I want on my phone, which it does not seem to me, controversial. The phone is either mine or it is not. I don't want Google's protection. Particularly, if I can't refuse it.
> In computing, a trojan horse or trojan is a kind of malware that misleads users as to its true intent by disguising itself as a normal program. [1]Google is Trojans all the way down. What is the true intent of almost every Google product? Data harvesting.Every single product is spyware of some
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
It doesn't solve the current issue, but in case we don't manage to push back on this, some people might not know that there are various actual linux OSes for mobile:- SailfishOS: still linux based and seems fairly community inclusive, but the UI part of the stack is closed source. Is the o