Google Enhances Android Privacy with New Play Policies and Intensifies Fight Against Malvertising
Google this week unveiled a significant overhaul of its Google Play policies, introducing stringent new measures designed to bolster user privacy and fortify the app ecosystem against fraudulent activities. These updates, announced concurrently with a stark revelation of Google’s aggressive stance against malicious advertising in 2025, underscore the tech giant’s commitment to a safer and more transparent digital environment. In the past year alone, Google reported blocking or removing a staggering 8.3 billion ads globally and suspending 24.9 million accounts deemed to be engaged in policy violations.
The cornerstone of the new policy updates lies in a fundamental rethinking of how third-party applications can access sensitive user data, specifically contact lists and location information. Android is ushering in a more privacy-conscious era with the introduction of a new Contact Picker and a streamlined location permission system. These enhancements aim to empower users with granular control over their personal information, ensuring they grant access only to the specific data and for the precise duration required by an app, thereby minimizing data footprints and enhancing transparency.
Granular Contact Access Through the New Contact Picker
Previously, applications seeking access to a user’s contact list were compelled to utilize the broad READ_CONTACTS permission. This permission, while functional, granted apps unfettered access to the entire contact database, including names, phone numbers, email addresses, and other associated metadata. This inherent overreach presented a significant privacy concern, as many apps only required a subset of this information for their core functionality.
The newly introduced Contact Picker addresses this deficiency by offering a standardized, secure, and searchable interface for contact selection. "This feature allows users to grant apps access only to the specific contacts they choose, aligning with Android’s commitment to data transparency and minimized permission footprints," Google stated in a recent announcement. This innovation fundamentally shifts the paradigm from broad access to specific, user-defined permissions. Instead of a blanket grant, users can now selectively share individual contacts or specific details within a contact, such as a phone number or email address, directly with an application. This granular approach significantly reduces the potential for unnecessary data collection and misuse.
The updated Play policy mandates that all applicable apps must adopt the Contact Picker, or alternatively, the Android Sharesheet, as the primary mechanism for accessing user contacts. The READ_CONTACTS permission will now be reserved exclusively for applications that demonstrate a critical and unavoidable reliance on full contact list access for their core operations. Developers targeting Android 17 (currently in beta) and later versions are strongly advised to remove the READ_CONTACTS permission from their app’s manifest declaration altogether, unless they can provide a compelling justification for its necessity.
For those apps that genuinely require comprehensive access to a user’s contact list, Google has implemented a rigorous review process. "If your app requires full, ongoing access to a user’s contact list to function, you must justify this need by submitting a Play Developer Declaration in the Play Console," Google elaborated. This declaration process is designed to ensure that such broad permissions are granted only in exceptional circumstances and for legitimate functional requirements, further safeguarding user privacy.
Enhanced Location Privacy with a Streamlined Button and Persistent Indicators
Complementing the advancements in contact permission management, Google has also introduced significant enhancements to location data access within Android 17. A streamlined location button has been integrated, enabling apps to request one-time access to a user’s precise location. This feature is designed to facilitate more informed user decisions regarding the sharing of their location, allowing them to specify not only the duration but also the exact nature of the access granted.
Crucially, Android 17 will introduce a persistent indicator that will alert users every time a non-system app accesses their location. This visual cue serves as a constant reminder and a deterrent against unauthorized or excessive location tracking, fostering greater user awareness and control.
To ensure compliance with these new location privacy standards, developers are strongly encouraged to meticulously review their apps’ location usage. The guiding principle is to request only the minimum amount of location data necessary for an app’s essential functions. "If your app targets Android 17 and above and uses precise location for discrete, temporary actions, implement the location button by adding the onlyForLocationButton flag in your manifest," the tech giant stated. This flag ensures that the new, user-friendly location request mechanism is utilized.
For applications that necessitate persistent, precise location access for their core functionality, a similar Play Developer Declaration process will be in place. "If your app requires persistent, precise location to function, you will need to submit a Play Developer Declaration in Play Console to show why the new button or coarse location isn’t sufficient for your app’s core features," Google explained. This ensures that any app demanding continuous access to a user’s location undergoes scrutiny to validate its necessity.
The declaration form is slated to become available prior to October 2026. In anticipation of these policy changes, pre-review checks within the Play Console are scheduled to go live starting October 27, providing developers with an opportunity to identify and rectify any potential conflicts with the new contact or location permissions policies before the official enforcement dates.
Fortifying the App Ecosystem Against Fraudulent Transfers
Beyond privacy enhancements, Google is also implementing robust measures to combat fraud within the developer community. A new native account transfer feature is being integrated into the Play Console, providing a secure and official channel for businesses to transfer ownership of their applications. This feature is designed to protect businesses from fraudulent activities that can arise from unofficial or insecure transfer methods.
Google is strongly recommending that app developers transition to utilizing this native feature for all account ownership changes, commencing May 27, 2026. This proactive measure aims to eliminate the vulnerabilities associated with less secure practices. "That means that unofficial transfers (like sharing login credentials or buying and selling accounts on third-party marketplaces), which leave your business vulnerable, are not permitted," Google emphasized, clearly delineating acceptable and prohibited practices. This move is expected to significantly reduce instances of account hijacking and unauthorized app acquisitions.
Google Intensifies Its War on Malvertising with AI
The comprehensive policy updates for the Android ecosystem are unfolding against the backdrop of Google’s intensified efforts to combat malvertising. The company revealed its strategic deployment of Gemini, its advanced artificial intelligence (AI) model, to proactively detect and block malicious advertisements across its platforms. This AI-driven approach has proven remarkably effective, with Google reporting that over 99% of policy-violating ads were identified and intercepted by its systems in 2025 before they could reach users.
Keerat Sharma, Vice President and General Manager of Ads Privacy and Safety at Google, highlighted the transformative capabilities of Gemini in a statement to The Hacker News. "Unlike earlier keyword-based systems, our latest models better understand intent, helping us spot malicious content and preemptively block it, even when it’s designed to evade detection," Sharma explained. This advanced understanding of intent allows Gemini to discern malicious patterns and deceptive tactics with greater accuracy than traditional methods.
The scale of Google’s ad enforcement in 2025 is unprecedented. The company reported removing or blocking 602 million ads and 4 million accounts associated with scams or scam-related activities. Furthermore, over 4.8 billion ads were restricted for policy violations, and more than 480 million web pages were actioned for attempting to serve prohibited content, including sexually explicit material, weapons promotion, online gambling, alcohol, tobacco, and malware.
These figures represent a significant escalation in enforcement compared to the previous year. In 2024, Google suspended over 39.2 million advertiser accounts, stopped 5.1 billion harmful ads, restricted 9.1 billion ads, and blocked or restricted ads on 1.3 billion pages. While the numbers are substantial across both years, the specific focus and effectiveness of AI in identifying and blocking new forms of malvertising are evident in the latest report.
The rise of generative AI has presented new challenges in the fight against deceptive advertising. Bad actors are increasingly leveraging these technologies to create sophisticated and scalable fraudulent campaigns. Google’s Gemini is proving to be a critical defense mechanism in this evolving landscape. "Bad actors are using generative AI to create deceptive ads at scale, and Gemini helps us detect and block them in real time," Google stated. The company further revealed that by the end of last year, the majority of Responsive Search Ads created in Google Ads were subjected to instant review, with harmful content being blocked at the submission stage. This capability is planned for expansion to more ad formats in the current year.
Broader Implications for the App Ecosystem and User Trust
These comprehensive policy updates and enforcement actions by Google carry significant implications for the entire Android app ecosystem. By prioritizing user privacy and introducing more granular control over data access, Google is fostering a more trustworthy environment for consumers. This enhanced trust can lead to greater user engagement and a willingness to adopt new applications, ultimately benefiting developers who adhere to these standards.
The rigorous enforcement against malvertising and fraudulent account transfers also serves to level the playing field for legitimate businesses and developers. By cracking down on bad actors, Google is creating a safer marketplace where honest players can thrive without being undercut by deceptive practices or facing unfair competition.
The shift towards more privacy-centric permissions, particularly with the Contact Picker and the streamlined location button, represents a fundamental change in how apps interact with user data. Developers will need to adapt their strategies to align with these new paradigms, focusing on obtaining explicit consent and minimizing data collection. This may necessitate re-architecting certain app functionalities or rethinking data utilization strategies.
The introduction of the Play Developer Declaration process for certain permissions signifies Google’s commitment to a more nuanced approach, allowing for legitimate exceptions while maintaining a high bar for data access. This process, while potentially adding an administrative layer for developers, is crucial for ensuring that essential app functionalities are not inadvertently hindered while still upholding robust privacy standards.
In conclusion, Google’s recent announcements signal a decisive step forward in its mission to create a more secure, transparent, and user-centric Android ecosystem. The combination of stricter privacy policies, enhanced fraud prevention measures, and the sophisticated application of AI in combating malvertising demonstrates a multifaceted strategy to address the evolving challenges of the digital landscape. These changes are not merely regulatory adjustments; they represent a fundamental commitment to building a healthier and more reliable platform for both users and developers.
