App Distribution
Alternative distribution channels outside Google Play, the APK modding ecosystem, and evolving platform policies. Malware distribution increasingly uses third-party stores, sideloading, and modded APK sites.
Official & Major Stores
Chinese Stores
Google Play is unavailable in China. Users install apps from OEM and third-party stores, making these primary distribution channels for both legitimate apps and malware targeting Chinese users. OEM stores have overtaken independent third-party stores in market share.
Regional & Alternative Stores
| Store |
Region |
Notes |
| CafeBazaar |
Iran |
Dominant Iranian store, ~97% market share. 50M+ users, 29M MAU. Sold to Tapsell in January 2025. 200+ credential-harvesting apps targeting Iranian banks found in 2023. |
| RuStore |
Russia |
State-backed, launched May 2022 by VK. 50M+ MAU. Mandatory pre-installation on all devices sold in Russia since September 2025. Expanding to 70 countries. |
| Indus Appstore |
India |
Launched February 2024 by PhonePe (Walmart-backed). Supports 12 Indian languages, 200K+ apps. Zero listing fees, zero commission on third-party payment gateways. Xiaomi replacing GetApps with Indus on Indian devices. |
| Epic Games Store |
Global |
Launched on Android August 2024. 29M users by end of 2024. US court ordered Google to allow third-party stores within Play Store, creating "Registered App Stores" effective November 2024. |
Open-Source Distribution
| Platform |
Type |
Notes |
| F-Droid |
FOSS app store |
Free and open-source software only. 4,000+ apps. Builds apps from source code (reproducible builds). Flags anti-features (ads, tracking) transparently. Under existential threat from Google's Developer Verification Decree requiring all Android developers to register with Google. |
| Aurora Store |
Google Play client |
Open-source, unofficial Google Play frontend. Not a separate catalog. Allows anonymous access to Google Play apps. Google aggressively blocking anonymous dispenser accounts. |
APK Hosting & Mirrors
These are not app stores. They host APK files for download without providing a storefront or app discovery experience.
| Platform |
Type |
Notes |
| APKMirror |
Curated APK archive |
Founded 2014, independently owned. Manually reviews every upload. Verifies cryptographic signatures against known developer certificates. No piracy. One of the most trusted APK sources. |
| APKPure |
APK download site |
Compromised in April 2021: official client app v3.17.18 was trojanized with Triada dropper via an unverified ad SDK. Kaspersky blocked it on 9,380+ devices. Fixed in v3.17.19. |
| Uptodown |
APK distribution |
Founded 2002, based in Spain. 100M active users. 450M+ monthly downloads. 260K+ apps. Hosts legitimate APKs on own servers. |
| Aptoide |
Decentralized marketplace |
Open-source, community-driven. Users create their own "stores." Breached April 2020: 39M accounts copied, 20M records leaked. Emails, SHA-1 hashed passwords (unsalted), names, IPs exposed. |
| Platform |
Type |
Notes |
| Appland |
White-label pre-loaded app store |
Swedish company (founded 2011), acquired by OnMobile Global in 2018 for ~$15M. B2B infrastructure for mobile operators and OEMs. App stores are pre-installed as system apps on smartphones before shipping, granting INSTALL_PACKAGES for silent APK installation. Installed on 10M+ devices across 200+ countries. TIMWE partnership rolled out across mobile operators in Latin America, Southeast Asia, and CIS/Russia. Revenue via carrier billing (charged to phone bill). Pre-loaded stores have been observed bundling carrier billing SDKs (Fortumo, now part of Boku) and server-pushed install lists that silently install apps without user interaction. The line between "alternative store" and malware distribution platform depends on what gets silently installed. |
APK Modding & Cracking
Modified APKs (mods) distributed through forums and dedicated sites. Modded APKs are a primary malware distribution vector: trojans, adware, and spyware are injected into popular cracked apps, then the victim installs a "premium" version and gets malware bundled in.
| Platform |
Type |
Notes |
| ACMarket |
Modded app store |
Distributes cracked and modded APKs. Multiple mirror domains (acmarket.net, .icu, .app). Known malware distribution vector. No reliable vetting. |
| An1.com |
Modded games |
Modded Android game distribution. Claims file scanning but no independent verification. |
| HappyMod |
Modded app store |
Community-uploaded modded APKs. Claims VirusTotal scanning but mods are user-submitted with no professional vetting. |
| Lucky Patcher |
Modification tool |
Not a store. Device-level APK patching tool for ad removal, license bypass, in-app purchase bypass, and permission modification. Most features require root. Frequently flagged by AV. |
| Mobilism |
Piracy forum |
Forum-based piracy platform. Users share cracked/modded APKs via threads and direct downloads. No automated scanning or vetting. |
Google Play Sideloading Restrictions (2024-2025)
Google has progressively tightened controls over sideloaded apps:
| Change |
Year |
Impact |
| Enhanced Fraud Protection |
2024 |
Automatically blocks sideloaded apps requesting sensitive permissions (SMS, accessibility, notification listener). Piloted in Singapore, expanded to Brazil, India, Kenya, Nigeria, Philippines, South Africa, Thailand, Vietnam. Shielded 10M devices from 36M risky installs. |
| Play Integrity API tightening |
2025 |
Stricter verdicts require apps to be installed via Google Play for strong integrity ratings. Devices need security updates within 12 months. Penalizes sideloaded apps. |
| Developer Verification Decree |
2025 |
All Android developers, including those distributing outside Play Store, must register with Google. Unregistered apps blocked on certified devices. Enforcement begins March 2026, mandatory in Brazil/Indonesia/Singapore/Thailand from September 2026, global 2027+. |
| Play Protect scanning expansion |
2025 |
Daily scans increased from 200B to 350B, covering both Play Store and sideloaded apps. Blocked 1.75M harmful apps. |
EU Digital Markets Act
Google is designated as a DMA gatekeeper for Android and Google Play. In March 2025, the European Commission informed Alphabet of DMA breaches regarding Google Play's restrictions on developers steering users to alternative distribution channels and payment methods. US federal courts separately ordered Google to allow third-party stores within Google Play effective November 2024.
Android Source Code Delays
In March 2025, Google stopped releasing Android source code immediately after device launches, instead delaying releases by weeks or months. This hinders FOSS developers, alternative distributions like F-Droid, and custom ROM projects that depend on timely AOSP access.