Do not take these risks.
Google’s mission to secure Android continues, narrowing the gap to iPhone. But that can never fully succeed unless and until user behaviors change. That’s the stark takeaway from Google’s update this week, and it must be taken seriously.
Google says that last year its “AI-powered threat detection and other security measures prevented 2.36 million policy-violating apps from being published on Google Play.” Even so, we have seen repeated instances of those defenses being breached. In the last month alone, Google has deleted hundreds of dangerous and malicious apps after security researchers found they had infected devices with adware or malware.
But as bad as that is, it’s nothing as compared to downloads and installs from outside Play Store. “ By contrast,” Google warns, “our most recent analysis found over 50 times more Android malware from internet-sideloaded sources (like browsers and messaging apps) than on Google Play.” The company is doing its best with with the expansion of Play Protect across all apps regardless of source, and Android 15’s introduction of live threat detection, but that will only work to a point.
Just after Google published its update, another warning was issued as Android phones were found to be infected with malware through malicious, sideloaded messaging apps. According to Sophos, the “PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices.”
There is still mixed messaging coming from Google on sideloading. Yes there are repeated warnings, but there are also updates such as the new option to pause Play Protect, which are messaged as an easier way to sideload. My advice is much clearer — do not sideload apps unless you’re absolutely certain of the legitimacy and security of the app and its source, and only if it’s not available from an official store.
For Google, sideloading is a marquee differentiator to iPhone, a more libertarian outlook reflecting Android’s original values. But the world has changed. Samsung, Android’s leading OEM, goes further than Google and is restricting sideloading on devices to a much greater extent. It now defaults to Maximum Restrictions on phones and makes it increasingly difficult to override those defenses.
Ironically, Android’s clampdown on sideloading comes as Apple is being forced — step-by-step — to open up iPhone to those same kinds of risks. Apple has been unambiguous with its own warnings. “Sideloading through direct downloads and third-party app stores,” it says, “would cripple the privacy and security protections that have made iPhone so secure, and expose users to serious security risks.”
Take those warnings seriously. For almost all users, sideloading is a needless risk that you should not be taking with your device, your security credentials and your data. Not with your phone now the key that unlocks almost all aspects of your life.
