F-Droid's advisory documents malicious apps that impersonate F-Droid and its clients passing Play Protect review and reaching users through the Google Play Store. They frame this as a live counter-example to Google's stated rationale for tightening sideloading restrictions: the malware is being distributed by the very store whose monopoly is defended on safety grounds.
The editorial argues the timing exposes a contradiction in Google's eighteen-month push for developer identity verification, Play Integrity checks, and Android 16 sideloading friction — all justified by malware risk. Meanwhile F-Droid's absence from Play (by design) is itself the attack vector, since users searching 'f-droid' on Play find impersonators instead.
F-Droid states it has been raising the trademark-and-lookalike issue with Google for years through the standard reporting flow. Their consistent experience is that takedowns only arrive after public coverage, not before — meaning the reporting mechanism functions as PR triage rather than a security process.
By titling the submission 'A new Android malware from Google,' drewfax frames Google Play itself as the distribution channel for the malware rather than a passive victim of it. The framing landed with 1,310 points, signaling broad agreement that Google's store operation — not sideloading — is the failure point here.
On July 1, F-Droid — the volunteer-run repository of free and open-source Android apps — published an advisory (`/2026/07/01/adv-malware.html`) flagging a cluster of malicious apps distributed through the Google Play Store that impersonate F-Droid and its clients. The post reached 1,310 points on Hacker News within hours, which is roughly where F-Droid lands whenever it points at Google and the room goes quiet.
The pattern the advisory describes is not novel, which is the point. Attackers are cloning F-Droid's client UI, reusing its icon and naming conventions, and publishing the resulting APKs on Play — the store users have been trained for a decade to treat as the safe option. The impersonators then either wrap adware, harvest contacts and SMS, or act as a downloader stub that pulls a second-stage payload after install. F-Droid's own client is not on Google Play by design; that absence is the vector. A user searching "f-droid" on Play gets results, and the results are not F-Droid.
The HN thread converged on two facts fast. First, Google's Play Protect and its review process — the thing repeatedly cited as the reason sideloading should be restricted — waved these apps through. Second, F-Droid has been raising the trademark-and-lookalike issue with Google for years via the standard reporting flow, with the usual result: takedowns arrive after coverage, not before.
The timing is not accidental. Google has spent the last eighteen months tightening the screws on sideloading — developer identity verification for all APK distribution, Play Integrity checks that flag non-Play installs as "unverified," and the Android 16 changes that make installing an unknown-source APK a multi-tap ordeal even for developers. The stated justification is malware. The F-Droid advisory is, in effect, a live counter-example: the malware in question is being distributed by the exact store whose monopoly is being defended on safety grounds.
This isn't a gotcha. It's a structural point about where trust actually lives on Android. F-Droid's model — reproducible builds, signed by the repository, source verifiable against the binary — gives you a chain of custody that Play's model does not. Play offers scale, review, and a kill switch; it does not offer build-to-source verification, and it never has. When the attack is "publish a binary that looks like the trustworthy one," the store with reproducible builds wins and the store with a review queue loses. That's what the advisory documents.
Community reactions in the HN thread split along predictable lines but the strongest version of each is worth naming. The pro-Play argument: individual bad apps slip through every store, F-Droid has had its own signing-key and CVE incidents, and Play's ability to remotely uninstall a compromised app is a real safety net that F-Droid cannot match. The pro-F-Droid argument: the entire premise of the sideloading crackdown is that Play is a categorically safer distribution channel, and every advisory like this one erodes that categorical claim. Both can be true, and the honest read is that the safety-vs-openness debate has been miscast as a binary when the actual variable is verifiability.
There is also a legal-shaped shadow over this. The EU's Digital Markets Act obligates gatekeepers to permit alternative app stores, and Google's compliance has been grudging — the sideloading friction is arguably a workaround. An advisory from a designated alternative store showing that the gatekeeper's store is shipping malware impersonating the alternative store is exactly the kind of artifact regulators screenshot.
If you ship an Android app with any open-source presence — a GitHub repo, an F-Droid listing, a Codeberg mirror — assume a lookalike either exists on Play now or will within a quarter. The mitigation is boring and unglamorous. Register the app name and icon assets as trademarks in your primary jurisdictions; without that, Google's trademark takedown flow is the only lever that reliably moves, and the DMCA route is slower and weaker. Publish a canonical install page at a domain you control, link to it from every README, and treat that page as the source of truth users can verify. If you can afford it, ship your own Play listing even if it's a thin wrapper — squatting your own name on Play is the cheapest defense against someone else squatting it for you.
For teams evaluating F-Droid as a distribution channel: the advisory does not weaken the case, it strengthens it. Reproducible builds are the only mechanism that lets a user (or an enterprise MDM) verify that the binary they installed corresponds to the source they audited. If your threat model includes supply-chain compromise — and after xz, it should — that verifiability is the feature you're paying for. F-Droid's inclusion checklist is stricter than Play's review, but the strictness is the product.
For security teams, add "impersonation on the gatekeeper store" to your brand-monitoring workflow if it isn't there already. The tooling is dull: a weekly scripted search of Play's public API for your app name, package name variations, and icon hash. The alert should route to whoever owns your trademark response, not just your security channel — because the fix is legal-shaped, not technical-shaped.
The interesting question is not whether Google takes these specific apps down — they will, on the standard "after the blog post trends" cadence. The interesting question is whether the pattern gets cited in the ongoing DMA compliance disputes and in the U.S. antitrust remedies phase, where sideloading restrictions are already contested. An advisory from the store Google is regulating against, documenting malware in the store Google is defending, is a load-bearing exhibit for the argument that verifiability — not gatekeeping — is what actually produces safety. Whether that argument lands in a courtroom or a compliance filing is out of F-Droid's hands. Publishing the advisory, in the timeframe they published it, is not.
Android users need to switch to Graphene.Someone needs to create a Linux based mobile OS foundation - Google's domination is contrary to many large companies interests, and if Meta and many other such companies were approached, they may well donate large sums of money in their own strategic int
I understand the frustration (I'm an avid fdroid user across many many devices). But this article comes off as childish with the virus/trojan/"malware vendor".With such an article, many (including perhaps google) get the ammo to disregard what fdroid says, by branding them a
I use Android because it lets me install whatever I want on my phone, which it does not seem to me, controversial. The phone is either mine or it is not. I don't want Google's protection. Particularly, if I can't refuse it.
> In computing, a trojan horse or trojan is a kind of malware that misleads users as to its true intent by disguising itself as a normal program. [1]Google is Trojans all the way down. What is the true intent of almost every Google product? Data harvesting.Every single product is spyware of some
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
It doesn't solve the current issue, but in case we don't manage to push back on this, some people might not know that there are various actual linux OSes for mobile:- SailfishOS: still linux based and seems fairly community inclusive, but the UI part of the stack is closed source. Is the o