F-Droid published a July 1 report accusing Google's Android Developer Verification (ADV) system of installing a root-privileged service to silently block unregistered apps starting September 30. The warning has sparked a massive backlash from over 70 organizations and threatens to force F-Droid to shut down its distribution model entirely.
F-Droid Calls Google's New Android Security Program a Trojan Horse
The free app store says a new system service with root privileges will silently block apps from unregistered developers starting September 30.
"If you are running Android 8 or higher, a virus has been installed on your device and is silently awaiting remote activation." F-Droid dropped that line in a report published July 1, 2026. Hard to call it anything less than alarming. The open source app repository is framing Google's upcoming Android Developer Verification (ADV) system as a self-install, root-privileged background service designed to quietly block software from developers who have not registered centrally with the company. The lockdown kicks in September 30 in Brazil, Indonesia, Singapore, and Thailand. The rest of the world is waiting on a 2027 rollout.
Google first floated the program in August 2025. At the time, the company positioned it as an additional security layer. Suzanne Frey, VP of Product for Trust and Growth on Android, wrote that over fifty times more malware originates from internet sideloads than from the Play Store. Repeat offenders were using anonymous accounts to keep pushing malicious builds. Google's fix was straightforward: make every developer who wants to ship on certified Android devices prove their identity. The process requires a $25 developer account fee, signed government ID, proof of your private signing key, and a mandatory list of every package name you plan to ship now and in the future. You also have to agree to a set of terms and conditions that Google reserves the right to change whenever it sees fit.
The Technical Breakdown
F-Droid says ADV is delivered through Play Protect itself, not some third-party plugin. Once it lands on your device, it runs as a system service with full root privileges. It is invisible in the settings menu. It cannot be disabled, paused, or removed. The only job it has, according to F-Droid's reverse engineering notes, is to phone home every time an unregistered app is installed or launched, then block it from running. Google claims it is an opt-in identity check. F-Droid says it is a mandatory system-level gatekeeper that ships without user consent.
Here is the problem with the supposed workaround. Google describes a nine-step process buried deep inside Developer Options. You enable developer mode, dismiss a series of aggressive warning screens, enter your PIN, restart the device, and then wait twenty-four hours. After that, you can pick a seven-day or permanent sideload exception. The catch is that this advanced flow is not actually in any build yet. It exists only as a blog post. A deterrent by design, which is exactly what F-Droid argues.
The Backlash
The timeline from Google's initial announcement to today's report reads like a slow escalation. F-Droid raised the first alarms in September 2025. Google promised a user-facing escape hatch in November. Early access registration opened in March. Verification went public in April. And now, with September 30 only months away, over seventy-one organizations from twenty-three countries have signed an open letter demanding the program be scrapped. The signatories read like a who's who of privacy and open source advocacy. EFF, the Free Software Foundation, Tor Project, Brave, Nextcloud, KDE e.V., Proton, GrapheneOS Foundation, LineageOS, and AdGuard are all listed. A Change.org petition tied to the campaign has pulled in more than one hundred thousand signatures. Tech press coverage has been uniformly hostile.
For F-Droid specifically, the ADV requirements cross a line that makes their entire model impossible to sustain. The store relies on community inspection, public build logs, and reproducible builds. Requiring developers to hand over government ID and surrender exclusive rights to every future package name directly contradicts how the repository operates. F-Droid states plainly that the ADV program is fundamentally at odds with their security model and will likely force them to shut down. Existing F-Droid users will lose the ability to install or update apps the moment the lockdown activates in those four countries.
What happens on September 30 is still largely a black box. F-Droid is explicit that they do not yet know whether the F-Droid app itself will be blocked, if existing sideloaded apps will be wiped, or exactly what telemetry is being sent back to Mountain View. Google maintains that Play Protect already handles malware scanning independently and that developer verification is simply an extra layer against repeat bad actors. Brazilian financial group FEBRABAN has even publicly backed the initiative as a major step forward for user protection.
The precedent matters far beyond Android. If Google can silently ship a root-privileged package gatekeeper to devices after they have been purchased, every hardware manufacturer is taking notes. The question is no longer whether this system blocks malware. It is who gets to decide what software you run on your own phone. F-Droid's full report and the open letter are live now, and the September 30 deadline leaves little time for a compromise. Keep Android Open has compiled the technical details and the list of signatories. Head there to read the full timeline and see if your organization is already on the letter.
