Google to require 2FA and a physical address from Android app devs
After seeing an increase in fraud and malicious developer accounts, Google has announced on Monday plans to require additional identity verification from developers who want to list apps on the official Play Store.
Google said that starting Monday, anyone who registers a new Play Store developer account must specify if the account is owned by a person or organization, provide a contact name, a physical address, and must verify both their phone number and email address.
Prior to today's change, Google was only asking Play Store devs to provide an email address and phone number but was never validating either of them.
In recent years, this lackadaisical process has led to an entire cottage industry popping up in underground cybercrime forums, with multiple threat actors offering to automate the process of creating Google Play developer accounts.
Crooks would create these accounts en-masse and then sell them to other groups, who would later use them to upload malicious apps on the Play Store containing malware, different scams, clones of legitimate apps, or fleeceware (apps that grossly overcharge users for basic functionality).
But while crooks created new accounts to peddle their malicious apps, some threat actors also broke into genuine accounts in order to insert malicious code inside legitimate apps.
To counter this trend, Google said yesterday it would also require Play Store developers to enable a two-factor authentication solution for their account before being allowed to list Android apps on the official store.
According to Google, the timeline of these upcoming changes will be as follows:
- Starting June 28, 2021: Developer account owners will be able to declare their account type and verify their contact details.
- August: All new developer accounts will need to specify their account type and verify their contact information at sign-up. 2FA will also be a requirement for the owners of new developer accounts.
- Later this year: All Play Store dev accounts will need to declare their account type, verify credentials, and enable 2FA.
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.