Google adds public ledger to verify Android apps

Google is expanding Binary Transparency to Android by publishing production Google apps and Mainline modules in a public cryptographic ledger. The system will log covered releases made after May 1, 2026 to help detect unauthorized or tampered binaries on devices.

The ledger records metadata about official binaries so users, device makers and researchers can check whether a particular app build matches an authorized production release. Google modeled the approach on Certificate Transparency, which logs SSL/TLS certificates in append‑only, verifiable records. Binary Transparency builds on Pixel Binary Transparency, launched in October 2021 to log verified factory images for Pixel devices.

Covered software includes production Google applications such as Google Play Services, standalone Google apps and Mainline modules that can be updated independently of the full OS release cycle. For any covered app or module released after May 1, 2026, Google will publish a cryptographic entry that corresponds to that production build. Software not present in the ledger will be treated as not released as production software by Google.

Google will provide verification tools so device owners, security researchers and other third parties can validate the ledger entries and confirm the transparency state of supported software types. Those tools will allow independent checks of whether a binary on a device has a matching entry in the public log.

The expansion responds to supply‑chain attacks that have used legitimate distribution channels and valid digital signatures to deliver malicious code. Google pointed to a recent compromise of DAEMON Tools Windows installers, where attackers bundled a lightweight backdoor and used it to deploy an implant called QUIC RAT; the installers were distributed from the vendor’s site and signed with developer certificates.

“This new public ledger ensures the Google apps on your device are exactly what we intended to build and distribute,” Google’s product and security teams wrote. The company also noted that digital signatures verify origin but do not prove whether a binary was intended for public release: “Digital signatures are a certificate of origin, but binary transparency is a certificate of intent.”

The ledger will be public and cryptographically verifiable. Google said it will record metadata about official binaries in append‑only logs so anyone can look up entries and compare them with binaries found on devices. The company described the system as an additional detection layer for unauthorized binary releases.

Developers and security researchers will be able to use the published tooling to run independent checks on software releases logged after the May 1, 2026 cutoff. Google said the record of production releases aims to make one‑off or targeted unauthorized deployments detectable.