The new generation of reCAPTCHA has fundamentally changed how it verifies users on Android, and it's terrible news for anyone running a de-googled device.
Instead of showing the classic image puzzles when suspicious activity is detected, the system now requires you to scan a QR code. To do this, your device must have Google Play Services (version 25.41.30 or higher) running in the background and communicating with Google's servers.
If you are using GrapheneOS or any other custom ROM without Google Play Services, you automatically fail the verification.
Here are a few details that show exactly what Google is doing here:
• The iOS Asymmetry: This is clearly not about security. On iOS 16.4 and newer, this exact same verification passes perfectly fine natively, without requiring the user to install any Google software. Google is artificially restricting Android users while giving iOS a free pass.
• The Quiet Rollout: The service was officially presented on April 23 at Cloud Next as part of "Google Cloud Fraud Defense." However, the Play Services dependency was introduced silently. An archived copy of a Google support page from October 2025 already lists the requirement (for v25.39.30). This means the mechanism was baked in for at least seven months before Reddit users finally caught on.
Because reCAPTCHA acts as a gatekeeper for millions of websites, tying it to Play Services essentially turns access to regular web content into an ultimatum: either run Google's proprietary framework and send telemetry to their servers, or be locked out of the web.
I won't even use irony here. Everything is already perfectly clear about the "Don't Be Evil" corporation.
Link: https://reclaimthenet.org/google-broke-recaptcha-for-de-googled-android-users
*translated with AI(English is not my native language)

On April 23, 2026, Google announced "Cloud Fraud Defense" at Cloud Next, describing it as the next evolution of reCAPTCHA. What they did not announce clearly is the detail that changes everything: when this new system flags your traffic as suspicious, the old click-the-buses puzzle is gone. Instead, you get a QR code. Scanning that QR code requires Google Play Services version 25.41.30 or higher running on your device. If you removed Google Play Services because you are on GrapheneOS, LineageOS, CalyxOS, /e/OS or any other de-Googled Android distribution, the verification fails with no documented workaround. Support pages showing this requirement were silently live since at least October 2025, seven months before anyone widely noticed.

iOS users on 16.4 and above pass automatically. Android users running stock Google software pass automatically. Privacy-conscious Android users who made an informed decision to remove Google's proprietary software from their own devices get locked out. The audience most likely to have read Google's data practices carefully and chosen to opt out is now the audience being flagged as fraudulent for that exact choice.

This is not the first time Google has attempted this. In 2023, the company proposed Web Environment Integrity, a browser feature that would let Google decide which devices were "legitimate" enough to access the web. Standards bodies, the open web community and the public pushed back hard enough that Google killed the proposal. Three years later, the same architectural idea is back, implemented not as an open web standard but as a dependency buried inside a widely deployed CAPTCHA system. The outcome is identical: Google's closed proprietary stack becomes the gatekeeper for basic web access. The mechanism is just harder to see.

The practical consequences are significant and mostly invisible to the websites themselves. reCAPTCHA runs on millions of websites globally. Bank login pages, government portals, ticket sites, account registration flows, none of them have to make an active decision to block de-Googled users. They just inherit the upstream limitation by continuing to use reCAPTCHA as they always have. A bank using reCAPTCHA is not choosing to exclude GrapheneOS users. It is just that Google made that choice on their behalf without telling them. This means, if you are a privacy-conscious user you are blocked from using bank websites because of Google.

GrapheneOS is recommended by the Electronic Frontier Foundation and is actively used by journalists, lawyers, activists, people operating in high-risk environments where device security matters and by everyone who just loves privacy. It is the most security-hardened Android variant publicly available. The population of people running it is not bots or fraudsters. It is the population that took device privacy seriously enough to sacrifice app compatibility and convenience to achieve it. Google's system cannot distinguish between them and actually malicious traffic because the only signal it is checking is whether Google's own software is present.

Play Services is background software with broad device permissions that Google controls, updates silently and uses to collect device telemetry. The user who removed it made a reasonable security decision. The system now treating that decision as evidence of suspicious intent has the logic precisely backwards.

There is currently a minimal bypass: Changing the browser agent string to simulate a non-Android device bypasses the check in some cases. GrapheneOS's sandboxed Play Services approach, which runs Google's software in an isolated container, may pass the check for now. But Google will almost certainly require full Play Integrity attestation in the future, and sandboxed Play Services will eventually fail that check by design because Play Integrity is specifically built to certify that Google's software is running with full system-level access.

If you are on a de-Googled device and hitting reCAPTCHA walls, document the sites and report them to the website owners and maintainers directly. Most website operators have no idea this is happening! Tell them to switch to alternatives like Altcha (altcha.org) which is an Open Source Captcha. Altcha is European, privacy-preserving by design and requires no Play Services or proprietary software to pass. Every developer who keeps using reCAPTCHA after learning this is making a choice, even if they do not know it yet.

Tradução

Google agora trata privacidade como atividade suspeita por padrão. Usuários de GrapheneOS, CalyxOS, /e/OS e outros celulares Android sem google estão sendo impedidos de acessar milhões de sites (nota: não vi acontecendo ainda, mas não quer dizer que não vá acontecer) até que o Google Play Services seja instalado, que são deliberadamente removidos por eles.

GrapheneOS é recomendado pela EFF (Eletronic Frontier Foundatiom) e usado por jornalistas, advogados e ativistas em ambientes/lugares perigosos. As pessoas que provavelmente iram ler as práticas da Google com dados e recusar seus termos serão marcados como suspeitos por esse exato motivo.

O que aconteceu?

• Google anunciou a "Defesa da fraudes na nuvem" na Cloud Next no dia 22 e 23 de abril de 2026, nomeando como "a próxima evolução do reCAPTCHA". Clientes existentes do reCAPTCHA foram auto transicionados para nova versão.
• Quando o sistema marca o tráfego como suspeito. O antigo quebra cabeça não existe. Usuários recebem um código QR.
• Escanear requer o Google Play Services executando no dispositivo. Snapshots no Internet Archive mostra que esse requerimento existe desde outubro de 2025, lançado silencionamente 7 meses antes que alguém nota-se.
• Sem Play Services = Nada de QR = bloqueado

O grande cenário da coisa

• O Google anteriormente já tentou em 2023. Se chamava Integridade do Ambiente Web (WEI), e iria deixar o Google decidir qual dispositivo era "real o suficiente" para acessar a web. Organizações(?, não pensei direito numa melhor tradução) e o público se revoltou e o Google encerrou. Três anos depois é a mesma idéia, mas escondido atrás de um QR em vez de uma funcionalidade no navegador.
• reCAPTCHA roda em milhões de sites. Todo desenvolvedor que o usa, por padrão, estará dizendo a usuários Android sem google que não são bem vindos...

In a move to combat online fraud and automated bots, Google is rolling out an evolution of its reCAPTCHA system. While the stated goal is to enhance security, the new method has sparked controversy and concern among privacy advocates and users of custom mobile operating systems. The core of the issue lies in a new requirement for some users to verify their identity using a smartphone with Google Play Services installed.

This new verification process is part of what Google calls its "Cloud Fraud Defense." The company argues that with the rise of sophisticated AI, it's becoming harder to distinguish between genuine human users and bots. Their solution involves a system that, in some cases, requires users to scan a QR code with their phone to prove they are human. The problem, however, is that this system specifically requires the presence of Google Play Services (GMS) on Android devices.

The impact on custom operating systems

For a growing number of users who are actively trying to reduce their reliance on big tech, this presents a significant hurdle. Operating systems like GrapheneOS are designed with privacy and security as their main focus, and a key aspect of this is the absence of Google Play Services by default. While users can choose to install GMS in a sandboxed environment, many prefer to avoid it altogether to maintain a higher level of privacy.

This new reCAPTCHA requirement effectively creates a two-tiered system where users who have opted out of Google's ecosystem may face difficulties accessing websites and online services that implement the new verification method. This has led to accusations that Google is leveraging its market dominance to push users back into its ecosystem, whether they want to be there or not.

Some of the applications and services that are already reported to block access from GrapheneOS include:

• Government apps from Australia and Brazil
• The popular two-factor authentication tool, Authy
• Various dating and ticketing apps

A question of control

Critics of this new policy argue that it goes against the original ethos of Android, which was built on an open-source foundation that allowed for user choice and customization. By making Google Play Services a prerequisite for basic web access, Google is seen as tightening its grip on the Android ecosystem and limiting the freedom of users who prioritize privacy.

The developers behind GrapheneOS have pointed out that there are existing, less intrusive methods for verifying a device's integrity. They argue that hardware attestation, a feature available since Android 8, could be used to achieve the same security goals without forcing users to have Google Play Services installed. This has led to speculation that Google's motives may be more about data collection and maintaining its user base than purely about security.

The bigger picture

This development is part of a larger trend of tech companies creating more "walled gardens" where they have greater control over the user experience and the data that is generated. While the convenience of these ecosystems is undeniable for many, it comes at the cost of user autonomy and privacy.

The new reCAPTCHA system could be a precursor to a future where accessing the open web requires an "approved" device that is tied to a specific corporate ecosystem. This has significant implications for everything from online banking to accessing government services, potentially leaving users with a difficult choice: sacrifice their privacy or risk being locked out of essential online services.

This move by Google highlights the ongoing tension between the desire for enhanced security and the fundamental principles of a free and open internet. As our lives become increasingly digitized, the question of who holds the keys to our digital world is more important than ever.

As we all know, Google is launching a new QR-based CAPTCHA / verification system and how badly it behaves on custom ROMs, unlocked bootloaders, rooted devices, and microG setups. A lot of legitimate users on LineageOS, PixelOS, crDroid, GrapheneOS, and other aftermarket ROMs are getting stuck in verification loops or failing checks entirely even when the devices are

otherwise secure and fully functional. Starting a collaborative project focused on understanding how the new flow works internally, what role Play Integrity and hardware attestation play, and exploring possible ways to make it function properly or potentially bypass ROM-related restrictions on custom ROM environments

for compatibility and interoperability purposes. Looking for Android reverse engineers, ROM maintainers, mobile security researchers, and modding enthusiasts interested in analyzing traffic flows, Play Services interactions, integrity checks, browser/app differences, and possible implementation weaknesses or workarounds. Comment down below if interested

So Google and Apple are extending their hardware based attestation solutions like Play Integrity, App Attest and Privacy Pass beyond mobile apps and into the wider internet web.

They have already done age verification to their latest software updates (they would probably be able to link each device to a single person soon). But are now looking to limiting access and services to people who don't use approved apple and google devices.

Basically upcoming release of Google’s reCAPTCHA Mobile Verification, will require users who use devices such as Linux, Windows and others to scan a QR code using a certified Android or iPhone in order to pass verification.

support.google.com/recaptcha/answer/16609652

We really do need to be concerned of this as it could push the internet toward a future where access to websites and services depends on owning approved hardware and software ecosystems.

‼️🚨 ALARMING: Google now treats privacy as suspicious behavior by default. Users of GrapheneOS, CalyxOS, /e/OS, and other deGoogled Android phones are being locked out of millions of websites unless they install the exact Google Play Services software they deliberately removed.

GrapheneOS is recommended by the EFF and used by journalists, lawyers, and activists in high-risk environments. The audience most likely to read Google's data practices and refuse its terms is now flagged as fraudulent for that exact decision.

What happened?:

• Google announced "Cloud Fraud Defense" at Cloud Next on April 22-23, 2026, branding it "the next evolution of reCAPTCHA." Existing reCAPTCHA customers were auto-migrated.

• When the system flags traffic as suspicious, the old click-the-bus puzzle is gone. Users get a QR code instead.

• Scanning the QR code requires Google Play Services running on the device. Internet Archive snapshots show this requirement has been live since at least October 2025, silently rolled out for 7 months before anyone noticed.

• No Play Services = no QR scan = locked out.

The bigger picture:

• Google already tried this in 2023. It was called Web Environment Integrity (WEI), and it would have let Google decide which devices were "real enough" to access the web. Standards bodies and the public pushed back hard, and Google killed it. Three years later, the same idea is back, just hidden behind a QR code instead of a browser feature.

• reCAPTCHA runs on millions of websites. Every developer who keeps using it is now, by default, telling deGoogled Android users they're not welcome...

Whatever happened to Google's motto "Don't be evil" ?

There's something I keep coming back to that doesn't get talked about enough.

Every major AI company built their flagship models by scraping basically everything reachable on the open web. Common Crawl. Books3 and LibGen (pirated book corpuses literally named in court documents from the Meta and OpenAI lawsuits). News archives. Social platforms. GitHub. YouTube transcripts. Personal blogs and forums. Mostly unlicensed. OpenAI, Anthropic, Google, Meta — all of them did this, and it's how their models got smart in the first place.

Then the models shipped, and the same companies pivoted hard. Reddit closed its API and started charging billions for access (remember when third-party apps died?). Twitter locked APIs behind $42K/month tiers. Stack Overflow tried to ban LLM training, already too late. News sites started suing — NYT v OpenAI is the marquee case but there are dozens.

Then came the infrastructure layer, which is what's been bothering me most lately. Google killed Web Environment Integrity back in 2023 after standards bodies pushed back hard — that was the proposal that would have let device hardware decide which browsers were "real enough" to access the web. Three years later, the exact same hardware-attestation mechanism just shipped as Cloud Fraud Defense. But this time as a commercial product nobody gets to vote on. Standards process has no jurisdiction over paid SaaS rollouts.

What it means in practice: if your device isn't running modern Google Play Services or a recent iPhone, you get flagged as suspicious by reCAPTCHA's successor. GrapheneOS, CalyxOS, /e/OS users now get a QR code they can't scan. Privacy-by-choice literally reads as "fraud risk" to Google's stack. Internet Archive snapshots show this requirement has been quietly live since October 2025. They rolled it out for seven months before anyone noticed.

Microsoft runs the same play in a different uniform. Recall harvests every screen on your machine. Forced Copilot integration. Cloud account requirements creeping into more workflows. Telemetry you can't cleanly disable. Ads in the Start menu. Maximum harvest from you, minimum reciprocity back. Your data fuels their AI, their AI gets sold back to you as a feature.

The arc across all of this is consistent. Scrape the open web. Train models on it. Retroactively declare scraping illegitimate. Build attestation infrastructure to prevent anyone else doing the same. License your pre-trained models back to the people whose data trained them. Pull-up-the-ladder play, executed across a decade.

The shady part isn't that companies scraped — that was the open web's rough contract, and it's how the internet worked for thirty years. What bothers me is that once they had what they needed, they retroactively redefined scraping as illegitimate, then used dominant position to build the gates. The retroactive part is the tell.

And it's not slowing down. Google explicitly positions Cloud Fraud Defense as "the trust platform for the agentic web." Translation: Play Integrity becomes the entry token for which AI agents are allowed to interact with the web at all. Including yours. Including any open-source agent framework. Including anything you build for your own use.

This is one war on three fronts. Prompt injection as SEO is the layer where companies control what agents read. Hardware attestation is the layer where they control which agents can read at all. API monetization is the layer that makes scraping economically infeasible for anyone but them. Same playbook, different layers of the stack.

Rules for thee, not for me, at internet scale. The companies that built generation-defining AI on top of unlicensed scraping are the ones deciding who gets to participate in the agentic web going forward. We need open infrastructure that doesn't depend on their permission, and we need it before this gets normalized further.

Anyone else watching this play out the same way? Curious what others are doing about it, if anything.