App Store RejectionGuideline Google Play — MalwareMalware and Unwanted Software Policy

Google Play Protect Flagged Your App — Here's What That Actually Means

Most indie developers who get this rejection aren't shipping malware. But certain coding patterns, third-party SDKs, or obfuscation techniques can trigger Play Protect's automated detection. Here's how to investigate and respond.

What Apple said

Your app has been flagged by Google Play Protect for behavior that may be harmful to users or their devices. This includes patterns associated with malware, spyware, or unwanted software. Your app has been rejected and/or removed from Google Play until these issues are resolved and reviewed.

What this actually means

Google Play Protect uses automated analysis to identify apps that exhibit behaviors similar to known malware — excessive permissions, obfuscated code, dynamic code loading, suspicious network traffic patterns, or attempting to access data unrelated to the app's stated purpose. You don't have to be a bad actor to trigger this; certain legitimate development patterns set off the same signals.

What Apple needs to see

  • Removal of any code that dynamically loads and executes external code not included in the original APK/AAB
  • Reduction of permissions to the absolute minimum required — remove every permission that isn't actively used
  • Transparent, non-obfuscated code structure — legitimate obfuscation like ProGuard is fine, but don't use reflective loading for sensitive operations
  • A privacy policy and terms of service that accurately describe all data collection and transmission the app performs
  1. 1Audit every third-party SDK in your app — check each one's reputation and look for recent malware reports in security databases
  2. 2Remove any SDK or library that performs dynamic code execution, loads code from remote URLs, or has suspicious network behavior
  3. 3Review your permission list and remove everything that isn't strictly necessary — excess permissions are a major malware signal
  4. 4Run your APK through VirusTotal and review every flag — even false positives give you information about what patterns to address
  5. 5Submit a detailed explanation to Google Play through the Policy Center explaining what your app does, citing your privacy policy at yourapp.baseterms.com/privacy, and addressing each concern specifically

While you're at it — Apple also requires these pages for every app.

Fix this rejection, then make sure you're covered on the compliance side too. Apple requires every app to link to a hosted Privacy Policy, Terms of Service, Support page, and Data Deletion page. No link means another rejection — just for a different reason.

Privacy Policy
Terms of Service
Support Page
Data Deletion Page
Generate my compliance pages — $9

Common questions

I don't have malware in my app — why was it flagged?
False positives happen, especially with apps that use reflection, dynamic class loading, native code, or certain networking patterns. The most common legitimate causes are: an outdated third-party SDK that matches a known malware signature, overly aggressive code obfuscation, or a combination of sensitive permissions that pattern-match to known malware families.
How do I appeal a malware flag on Google Play?
Go to the Play Console Policy Center and submit an appeal explaining your app's functionality. Be detailed and specific — explain every permission you request and why, describe all network traffic your app generates, and address the specific behavior that was flagged. Generic appeals are typically rejected.
Can I re-publish my app under a new package name to avoid the flag?
No. This is a serious policy violation that can result in your entire developer account being terminated. Google tracks apps across package names, developer accounts, and even signing keys. If your app has a legitimate malware flag, you need to fix the underlying issue, not try to republish under a different identity.