As of November 1, 2018, Google became much harder with Android app developer. New apps uploaded to the Play Store must already be directed to Android 8.0 Oreo or higher in August, but now every update to existing apps must do the same. It may seem like a simple rule, but it will have some serious consequences.
At the layman's terms, when an app "directs" a specific Android version, it hopes your phone has the Android version installed. Note I said hope and not which requires . The app can still run on older or newer Android versions, but it may be missing some features if the phone has an older version than it targets.
As of January 1, 2018, Google Play Store will no longer allow developers to upload an app update unless the update is specifically designed to target Android 8.0 or later. This applies to all apps currently in the Play Store, and the above-mentioned August time limit applies to new apps that are uploaded for the first time.
Next year, the same time limit applies for this year's largest Android version, version 9.0. Every year, developers will have to make their apps target an Android version that is no more than a year old. If they do not, they will not be able to upload new apps or updates to their existing apps.
Why Developers Target Older Android Versions
Due to backwards compatibility, you'd think app developers would always want to target the latest version of Android to access new features, but many do not. Along with adding functionality and features, new Android versions also define new rules – and some of these rules may be limiting for app developers.
To get around, many developers have been targeting older Android versions from a time when current rules and restrictions were not in place. Things like Oreo new background limitations that make apps more battery-friendly and potentially cause them to reduce functionality.
A major rule introduced in 2015 was Android Marshmallow's granular jurisdiction system. Apps that target this version or higher must explicitly ask the user for permission to access specific sensors and data. For example, when an app wants to use your microphone, it must show a quick question, if you can.
What this means for malware
There are legitimate reasons to circumvent the new rules about background restrictions and permissions, but not all developers target old Android versions with good intentions. This is where the changes will be harmful software.
Many apps are considered malware due to abuse of permissions. For example, a flashlight app only needs permission to access your flashlight, but several of the Play Store offers use the pre-Marshmallow state model to batch-request access to your microphone, location, contact list, and more. The app's developer can earn money on their software by selling this information to marketers or researchers.
These old-age permission requests appear in a popup when you install the app, and many users just tap "OK" without reading them. Evil developers can swap people's deviations simply by targeting an old Android version before Marshmallow.
Now it's coming to an end. All new apps and updates must be focused on Android Oreo, which means that you must manually approve each permission for an app request. You can simply tap "Deny" to prevent a suspicious app from accessing that state, so it will be much harder for malicious apps to mine for external data.