Google is tightening business verification on Google Play, but there is a loophole
Google Play Store, the official place to get Android games and applications, has several security protections in place already designed to prevent the release of malicious content on the Play Store. These do not offer 100% protection, as security researchers detect malicious or spam apps or games regularly on the Play Store for Android.
Last week, Google announced its latest measure to improve trust and transparency on the Google Play Store. The company announced expanded developer verification requirements, which it hopes will reduce the count of new malicious or spam apps on the official Android apps store.
The main change affects new developers only that sign-up for an account for an organization at the moment. All new sign-ups require a D-U-N-S, Data Universal Numbering System, number, a nine digit ID that are "widely used to verify businesses". Google plans to enforce the change for existing developer accounts of organizations in the future as well. The company promises that it will release information regarding this in October 2023.
These IDS are issued by Dun & Bradstreet and Google notes that it is using the information for verification of the developer account. Google may still ask for additional verification during the sign-up process according to the information.
According to Dun & Bradstreet's website, obtaining a D-U-N-S number is "simple and free". The creation of the number may take up to 30 business days, but organizations may expedite the process to get the number within 8 business days for a fee.
As far as the timeline is concerned, Google wants to roll out the change to new developer accounts of organizations first on August 31. In October, Google will share information that explains how existing developers may update and verify their accounts.
Google will rename the Contact details section on Google Play to App support. The new App support section includes an updated "about the developer" section that may show verified information such as the name, address and also contact details.
Closing Words
The new requirements will make it more difficult for malicious actors to publish apps or games using organizational accounts on Google Play. Personal accounts, on the other hand, are not affected by the change. While there will still be sophisticated attacks from accounts by organizations on Google Play, the majority of malware and spam will likely move to using personal accounts.
As Android is designed to be spyware, tapping into those OS level capabilities by app publishers is both easy and expected.
maybe unrooted android is, but how can you say that? What proof do you have? I bet there are plenty of methods to strip out telemetry from rooted android, and maybe even telemetry-free builds out there.