Google is crediting new AI-driven defenses for a notable decline in malicious activity aimed at its app marketplace, saying stronger automated checks and stricter developer verification have deterred would-be attackers. In its latest Android app ecosystem safety report, the company points to fewer policy-violating submissions and developer bans on Google Play, even as threats increasingly try to bypass the store altogether.
Fewer Malicious Submissions Inside Play
According to Google, it blocked 1.75 million policy-violating app submissions last year, down from 2.36 million the prior year and 2.28 million the year before that. Suspensions of developer accounts tied to malicious activity also fell sharply, to more than 80,000, from 158,000 the prior year and 333,000 two years earlier.
Google argues the drop reflects deterrence as much as detection. With developer identity verification, mandatory pre-review checks, and testing requirements in place, the company says it has “raised the bar” for entry and removed easy pathways for fraudsters who once relied on quick resubmissions or shell identities.
AI-Powered Review And Real-Time Defenses
The review pipeline now subjects every app to more than 10,000 safety checks, with multiple rechecks after publication. Google says its latest generative AI models help human reviewers surface complex, low-signal patterns—like permission misuse hidden behind innocuous code paths, lookalike developer metadata, or SDK behaviors that only turn malicious after an update.
Under the hood, that means combining static code analysis, behavioral sandboxing, reputation graphs, and clustering of text and image assets to spot coordinated campaigns. Google emphasizes that AI is not replacing human judgment, but accelerating triage and flagging families of related threats faster than rule-based systems alone.
The company also says it will expand AI investments over the next year to keep pace with attackers who increasingly obfuscate code, stage delayed payloads, or try to mimic benign patterns. That includes tighter coupling between app review signals and on-device detection from Google Play Protect.
Threats Shift Outside the Play Store Ecosystem
The flip side of better gatekeeping is displacement. Google Play Protect—Android’s built-in threat defense—identified more than 27 million new malicious apps outside the store and either warned users or blocked execution. That’s up from 13 million the year prior and five million two years earlier, a clear sign that threat actors are leaning on sideloading, dropper chains, and third-party marketplaces to reach victims.
Security researchers have long warned that banking trojans and spyware often rely on overlays, Accessibility abuse, and social engineering delivered via phishing pages or messaging apps. The surge in off-store detections underscores the need for device-level protections and user education around unknown sources, even as Play’s walls get higher.
Crackdown On Data Abuse And Review Manipulation
Google says it stopped more than 255,000 apps from seeking excessive access to sensitive user data, a steep decline from 1.3 million the prior year—an indicator that stricter policy enforcement and SDK scrutiny are taking hold. On the integrity front, the company reports blocking 160 million spam ratings and reviews and says its systems prevented an average 0.5-star drop in apps targeted by coordinated review bombing.
These interventions matter beyond optics. Manipulated ratings can drive installs toward fraudulent finance, VPN, or utility apps, while permissive data access can enable stalking, credential theft, or predatory lending models. Cutting off those vectors at submission time reduces downstream harm even when code itself isn’t overtly malicious.
How The Findings Fit Wider Security Trends
Independent teams in the App Defense Alliance—launched with partners like ESET, Lookout, and Zimperium—have for years documented malware families that mutate quickly and shift distribution channels when defenses harden. Analysts at firms such as ThreatFabric and NCC Group similarly note that trojans targeting mobile banking and crypto wallets increasingly favor off-store delivery and delayed-activation payloads to dodge storefront checks.
Against that backdrop, the pattern Google reports—fewer malicious attempts inside Play and more detections outside—tracks with the classic security story: once the moat deepens, adversaries probe the countryside. The practical takeaway is that storefront security and endpoint protection must evolve in tandem.
What It Means for Developers and Everyday Users
For developers, identity verification, pre-launch testing, and tighter policy enforcement are now table stakes. Implementing modern permission practices, minimizing SDK risk, and using signals like Play Integrity can reduce review friction and protect reputation if a supply-chain component turns toxic.
For users, the advice remains straightforward: keep Play Protect on, avoid installs from unknown sources, scrutinize permissions, and be skeptical of apps promoted through urgency-laced messages. Google’s numbers suggest the store is harder to game, but the broader Android ecosystem still demands vigilance where AI can’t yet stand in for human caution.
