Google’s new reCAPTCHA won’t work on Android without Google services

Google is rolling out a new reCaptcha-style check to block AI bots—but it doesn’t work on Android phones without Google Play Services. That could trip up users of privacy-focused Android variants like GrapheneOS when verifying purchases or logging in.

The new system was announced last month as part of Google’s broader “Fraud Defense” platform, the successor to reCaptcha. Google says the tech is designed to stop AI agents from completing online transactions or making fraudulent purchases on their own.

The check uses a QR code that appears when reCaptcha suspects the user might be an AI agent or an automated system. You then have to scan that code with your phone to prove a real person is taking the action.

Google argues an AI agent can’t independently scan a QR code using a physical device. It calls the method an “AI-resistant challenge” meant to make automated fraud economically unattractive.

The technology targets e-commerce, account verification, and other transactions where fraud risk is high. Google frames it as protection against autonomous AI agents that can browse sites, fill out forms, and complete purchases without a human.

On a separate support page, Google confirms the new verification only works on Android devices with Google Play Services version 25.41.30 or later—a detail missing from the original announcement.

In practice, that means Android phones without Google services may be locked out of the new verification flow. Users of custom ROMs like GrapheneOS, LineageOS, and other de-Googled Android variants could run into limitations as a result.

It’s still unclear what happens when users without Play Services try to scan a QR code. Google hasn’t provided any technical explanation yet.

The company does confirm that QR codes can also be scanned with an iPhone or iPad.

The shift underscores how fast verification systems are evolving in response to generative and autonomous AI. Old-school captchas with traffic lights, bicycles, or warped letters are increasingly ineffective against modern AI models.

With QR codes, Google is adding a physical human step that’s harder to automate. But it also pushes reliance on smartphones and platform services deeper into the core of web access and online verification.

That’s drawing criticism in privacy circles. On Reddit, users worry about growing dependence on Google services for basic internet functionality. Some fear alternative Android systems will become less viable for everyday online tasks.

The new reCaptcha check fits a broader trend: big tech firms are tuning security to AI behavior, not just traditional bots.

In its announcement, Google explicitly points to the rise of an “agentic web,” where autonomous AI systems conduct transactions on users’ behalf. That, it argues, demands a new approach to risk and identity.

It also raises a deeper question: what counts as a “human user”? Captchas were built to stop simple scripts; modern verification is now aimed at advanced AI agents that mimic human behavior.

For users of open-source or privacy-first software, that trajectory may collide with platform lock-in—especially as verification becomes tied to closed ecosystems like Google Play Services.