Android malware campaigns, Play Store security/enforcement, and developer verification policies and their critics

As Android’s ecosystem continues to expand, security challenges and enforcement policies have become critical focal points, particularly in the face of increasingly sophisticated malware campaigns that exploit new platform features like Google’s generative AI engine, Gemini. Meanwhile, Google has intensified its efforts to safeguard the Play Store through enhanced protections, developer account verifications, and policy enforcements—though not without controversy.

---

Emerging Android Malware Threats Exploiting Gemini and Firmware Backdoors

Recent investigations have uncovered alarming Android malware campaigns that leverage the platform’s AI capabilities and firmware vulnerabilities to evade detection and maintain persistence:

• KeenAdu Backdoor: A newly discovered Android backdoor named KeenAdu has been found deeply embedded in device firmware across tablets used in regions such as Russia, Germany, and Japan. This malware operates stealthily at the firmware level, enabling long-term device compromise that survives factory resets and standard security measures. KeenAdu’s presence in both firmware and some Google Play apps highlights the growing complexity of supply chain threats.

• AI-Powered Malware Using Gemini: In a first for Android, PromptSpy malware has been identified using Google’s Gemini generative AI at runtime. This malware hijacks the Gemini AI engine embedded in Android 17 and above to perform persistence tasks and sophisticated evasion techniques, making detection and remediation more challenging.

• Other malware variants have been observed abusing Gemini’s runtime environment to orchestrate multi-stage attacks that blend AI-driven command and control with traditional malicious payloads, signaling a new era of AI-assisted Android threats.

These developments underscore the urgent need for improved runtime anomaly detection, firmware attestation, and AI-assisted security tooling integrated throughout the app lifecycle.

---

Google Play Security Enhancements and Enforcement Actions in 2025

In response to these evolving threats, Google has significantly ramped up its Play Store defenses throughout 2025, leveraging AI and policy enforcement to maintain ecosystem integrity:

• App Submission Blocking: Over 1.75 million policy-violating apps were blocked from publication on Google Play in 2025, reflecting a proactive stance against malware, scams, and policy circumvention.

• Developer Account Bans: More than 80,000 developer accounts were banned for violations, including malicious app distribution and ad fraud schemes. For example, Google dismantled an Android ad fraud network involving 115 apps that affected approximately 25 million devices, highlighting ongoing battles against AI-generated fraud operations.

• AI-Powered Malware Detection: Google credits its advanced AI systems for a notable decline in malicious app submissions targeting the Play Store, emphasizing the role of generative AI in both threat detection and prevention.

• Ongoing Policy Updates: Google implemented sweeping new protections aimed at scams, malware, and user privacy exploitation, including stricter permission models and behavioral monitoring.

---

Developer Verification Policies and Community Pushback

To further tighten the ecosystem, Google introduced a mandatory developer verification program in early 2026 designed to hold bad actors accountable by verifying developer identities and enforcing stricter account controls. Key aspects include:

• Stricter Identity Checks: Developers must now submit verifiable personal or business information, with increased scrutiny on new accounts to prevent fraudulent registrations.

• Transparency and Accountability: Enhanced transparency measures aim to reduce anonymity that bad actors exploit, tying apps more closely to verified developer identities.

However, this initiative has met significant resistance from parts of the Android developer community and privacy advocates:

• An open letter signed by over 40 organizations—including Proton, Tor, and AdGuard—urged Google to reconsider the new "alien security model," warning it could stifle innovation, threaten ecosystem openness, and disadvantage smaller or privacy-focused developers.

• Critics argue that the policy may inadvertently raise barriers to entry, reduce diversity, and compromise the open nature that has driven Android’s growth.

---

Balancing Security and Openness: Google’s Ongoing Challenges

Google faces the delicate task of balancing robust security enforcement with developer ecosystem vitality:

• Supply Chain Integrity: Beyond app-level protections, Google has enhanced third-party library vetting and firmware attestation protocols to detect compromised components and backdoors such as KeenAdu, reflecting a layered defense strategy.

• Runtime Anomaly Detection: AI-driven monitoring tools integrated into Android’s CI/CD pipelines and Play Store scanning help identify suspicious behaviors indicative of malware using Gemini or other advanced techniques.

• User Data and Privacy Protections: Google continues to tighten permission controls and backup policies, including expanded backup coverage to the Downloads folder, closing gaps in user data protection.

• Collaborations with OEMs: Partnerships with OEMs like Samsung and Fairphone focus on extended security updates and hardware-level protections, reinforcing the security posture across devices.

---

Takeaways for Developers and Users

• Developers should anticipate stricter verification requirements and adapt their publishing workflows accordingly while embracing AI-assisted security tools to safeguard their apps and users.

• Users benefit from Google’s enhanced protections but should remain vigilant about app permissions and updates, especially given the growing sophistication of malware exploiting AI and firmware vulnerabilities.

• The Android ecosystem must continue evolving its security models, detection capabilities, and community engagement to successfully mitigate threats without undermining the openness and innovation that define the platform.

---

Further Reading

• Inside KeenAdu: The Android Backdoor Hiding in Plain Sight Across Firmware and Google Play Apps
• Android Malware Hijacks Google Gemini to Stay Hidden
• Google blocked over 1.75 million Play Store app submissions in 2025
• Google banned 80,000+ bad developer accounts in 2025
• Google to roll out Android developer verifications to hold bad actors accountable
• Proton, Tor, AdGuard among 40+ asking Google to reverse new 'alien security model' for Android developers
• EXCLUSIVE: Google Pulls 115 Android Apps Tied to Ad Fraud Scheme Affecting 25M Devices

---

This comprehensive view highlights the interplay between innovative security enforcement, emerging AI-powered malware threats, and community concerns over developer policies—a dynamic landscape that will continue to shape Android’s security and ecosystem governance in the coming years.