Back to Blog
Mobile App Security

Google's 2025 Play Store Numbers Show the Scale of the Mobile Threat Problem

Google's year-in-review disclosure — 1.75 million apps blocked pre-publication, 872,000 high-risk apps neutralized, and a new developer verification regime — is as much a map of attacker activity as it is a scorecard.

PyramidLedger Research4 min read
Share

Key Takeaways

  • Google says it blocked 1.75 million policy-violating apps from Google Play and banned 80,000 malicious developer accounts in 2025.
  • Google Play Protect identified 27 million new malicious apps from outside the Play Store and blocked 266 million risky install attempts, based on 350+ billion daily app scans.
  • A new Developer Verification program and expanded fraud protection (now covering 185 markets and 2.8 billion devices) signal Google is tightening identity and installation controls, not just app review.
  • None of this substitutes for enterprise-side vetting — app store presence, even a clean one, is not a security control an organization can rely on alone.

Google's annual Play Store security report for 2025 is less a victory lap than a disclosure of scale: the volume of malicious and fraudulent activity aimed at Android's app ecosystem is now large enough that Google is reporting it in the billions, not thousands.

Enforcement at the store front

Google says it prevented 1.75 million policy-violating apps from ever reaching Google Play in 2025, and banned 80,000 developer accounts tied to malicious activity. Separately, 255,000 apps were blocked or restricted for requesting excessive access to sensitive user data — a category that covers overreaching permissions rather than outright malware, and one that has historically been a bigger source of privacy incidents than novel malware families. Google also says it blocked 160 million spam ratings and reviews, which it credits with preventing an average 0.5-star rating drop on apps targeted by review-bombing campaigns.

Play Protect: real-time defense against what's already installed

The more operationally interesting numbers concern Google Play Protect, the on-device and cloud scanning layer that runs regardless of where an app was installed from. Google reports 350+ billion app scans per day, and says this pipeline identified 27 million new malicious apps originating outside Google Play — i.e., sideloaded or third-party-sourced software. Play Protect blocked 266 million risky installation attempts and neutralized 872,000 unique high-risk applications over the year.

Google also expanded real-time fraud protection — analysis that flags scam and financial-fraud behavior at install and runtime — to 185 markets, now covering 2.8 billion Android devices. That geographic expansion matters: fraud tooling tuned on one region's scam patterns (fake banking apps, loan-shark apps, investment-fraud lures) doesn't automatically generalize, and rolling it out at this scale implies a meaningful investment in localized detection models.

Identity, not just code review

The structural change worth watching is Google's push toward developer identity verification, alongside 20+ billion daily checks through the Play Integrity API (which lets app developers verify that their app is running on a genuine, unmodified device and installation) and over 10,000 automated safety checks now run against every published app before release. Static and dynamic app scanning catches known-bad code; verifying who published an app is a different control aimed at accountability and takedown speed once something slips through review — the two are complementary, not redundant.

What this means for security teams, not just consumers

  • Store-level scanning is necessarily generic — it optimizes for catching malware families and fraud patterns at population scale, not for the specific threat model of a single enterprise's approved app list.
  • Organizations that publish their own Android apps, or manage BYOD/MDM fleets, should treat these numbers as evidence of attacker volume and sophistication, not as a reason to relax internal app vetting or mobile AppSec testing.
  • The shift toward developer verification and integrity attestation is worth tracking for any organization whose compliance posture (ISO 27001, DORA) touches mobile app distribution or third-party app risk.

The headline figures are Google's own and unaudited by a third party — there's no independent breakdown of how 'high-risk' or 'malicious' is scored across these categories. Read them as a signal of scale and direction of investment, not as a precise threat count.

Frequently Asked Questions

Does Google Play Protect replace the need for enterprise mobile app security testing?

No. Play Protect is tuned to catch malware families and fraud patterns at Android-wide scale; it doesn't assess whether a specific app handles your organization's data, authentication, or business logic securely. Static/dynamic app security testing and threat modeling remain necessary for apps you build or rely on operationally.

What is Android's Developer Verification program?

It's Google's move to require stronger identity verification for developers publishing or distributing Android apps, intended to speed takedowns and accountability when malicious apps do get through automated review — a complement to, not a replacement for, code-level scanning.

Do Google's 2025 numbers mean sideloaded apps are safer now?

The 27 million malicious apps Play Protect identified in 2025 came from outside Google Play, which is where on-device scanning matters most since store-front review never touched them. The volume suggests sideloading remains the higher-risk installation path, even with on-device protection active.

Sources

  1. 1Keeping Google Play & Android app ecosystems safe in 2025Google Security Blog
  2. 2Google Play Protect overviewGoogle for Developers
  3. 3Keeping Google Play & Android app ecosystems safe in 2025Google Online Security
Share

Read next