Ads are now able to bypass Google Play to install apps WITHOUT user consent (opens in new tab)

(reddit.com)

55 pointsaj34y ago15 comments

15 comments

14 comments · 4 top-level

kevinventullo4y ago· 5 in thread

The fact that Apple doesn’t allow (non-Apple) pre-loaded bloatware on iPhones is probably the number one reason I’ll never switch back to Android.

sneak4y ago

Google-based Android. I'm switching from iOS to an ungoogled Android distribution sometime this year due to the iOS spyware that's coming out in 15.x.

I also can't install any apps on new devices without giving Apple an email and phone number, which is its own kind of bullshit.

atatatat4y ago

You could use some GrapheneOS in your life =] Not all Android is Googley.

anaganisk4y ago

Unless you have a second phone with a proper Os I wouldn’t even suggest using any unlocked phones, banking apps and other daily use apps for common people just wont work.

bagacrap4y ago

afaict this could not happen on an unlocked Android phone

Gigachad4y ago

What do mean unlocked? This can happen on any phone the OEM chooses to load malware on.

0des4y ago· 4 in thread

I am curious if never logging in to Google while using an Android precludes one from being susceptible to this. Generally you are unable to reach or interact with the app store without first registering a Google account on the device, and accepting various EULAs.

EDIT: Thanks to the commenters below, it appears not participating in the app store ecosystem does not safeguard someone from this. Quite concerning.

FastEatSlow4y ago

Doesn't look like it, this is using the "On-Device Platform" by Digital Turbine, which is used to preload bloatware onto phones. It's pre-installed on many phones for ad money.

Based off the "SingleTap" demo video, it even works in a browser on an ad, which is a bit scary.

According to the partners list, phone/provider brands affected are: Verizon, At&T, Samsung, LG, Xiaomi, Motorola, Panasonic, Acer, T Mobile, Cricket, US Cellular, America movil, Tracfone, Telfonica and Tim Gruppo Tim.

aj3OP4y ago

Reddit comment explains that the software that handles app sideloading gets preinstalled by carriers: https://www.reddit.com/r/androiddev/comments/q4nltn/comment/...

prismatix4y ago

So does this mean that if you purchase an unlocked phone directly from the manufacturer rather than your service provider, you shouldn't have this problem?

1 more reply

cookiengineer4y ago

In addition to the sibling commenter: AdMob SDK had support for ultrasonic data exchange for a while now, and it's heavily used in Europe while TV ads are running.

Safeguarding your phone from network communication wouldn't be enough, as you would have to prevent audio communication as well - which kinda defeats the purpose of it being a phone.

I'd recommend to use LineageOS or Graphene on any Android smartphone. Use RethinkDNS [1] as firewall and AppWarden [2] to identify spyware.

You can also double check the reports page of the exodus prvcy project [3].

[1] https://rethinkdns.com/

[2] https://gitlab.com/AuroraOSS/AppWarden/-/releases

[3] https://reports.exodus-privacy.eu.org/en/

solarkraft4y ago· 1 in thread

To TL;DR the discussion: Some Android manufacturers/carriers include a software package by a company called Digital Turbine, which allows automatic installation of apps through a single click on an ad. It’s not a feature of Android itself (I initially thought it was an add-on to instant apps).

It‘s not like I needed another reason to hate the common Android ecosystem, but here we go. I maintain that there’s no way you can legitimately trust your phone manufacturer’s software. The incentives are just too misaligned. You have to use a third-party ROM like LineageOS (which has its own issues).

Most hardware manufacturers can not be trusted with software at fucking all. Apple seems to be the only exception.

Hardware and software need to be distributed separately (see personal computers), which could also solve some issues with updates. Treble is a good but under-utilized step in between.

atatatat4y ago

> Apple seems to be the only exception.

Nah.

foxes4y ago

Apple’s walled garden keeps out the hordes of adtech shovelware barbarians.

j / k navigate · click thread line to collapse

15 comments

14 comments · 4 top-level

kevinventullo4y ago· 5 in thread

The fact that Apple doesn’t allow (non-Apple) pre-loaded bloatware on iPhones is probably the number one reason I’ll never switch back to Android.

sneak4y ago

Google-based Android. I'm switching from iOS to an ungoogled Android distribution sometime this year due to the iOS spyware that's coming out in 15.x.

I also can't install any apps on new devices without giving Apple an email and phone number, which is its own kind of bullshit.

atatatat4y ago

You could use some GrapheneOS in your life =] Not all Android is Googley.

anaganisk4y ago

Unless you have a second phone with a proper Os I wouldn’t even suggest using any unlocked phones, banking apps and other daily use apps for common people just wont work.

bagacrap4y ago

afaict this could not happen on an unlocked Android phone

Gigachad4y ago

What do mean unlocked? This can happen on any phone the OEM chooses to load malware on.

0des4y ago· 4 in thread

EDIT: Thanks to the commenters below, it appears not participating in the app store ecosystem does not safeguard someone from this. Quite concerning.

FastEatSlow4y ago

Doesn't look like it, this is using the "On-Device Platform" by Digital Turbine, which is used to preload bloatware onto phones. It's pre-installed on many phones for ad money.

Based off the "SingleTap" demo video, it even works in a browser on an ad, which is a bit scary.

aj3OP4y ago

Reddit comment explains that the software that handles app sideloading gets preinstalled by carriers: https://www.reddit.com/r/androiddev/comments/q4nltn/comment/...

prismatix4y ago

So does this mean that if you purchase an unlocked phone directly from the manufacturer rather than your service provider, you shouldn't have this problem?

1 more reply

cookiengineer4y ago

In addition to the sibling commenter: AdMob SDK had support for ultrasonic data exchange for a while now, and it's heavily used in Europe while TV ads are running.

Safeguarding your phone from network communication wouldn't be enough, as you would have to prevent audio communication as well - which kinda defeats the purpose of it being a phone.

I'd recommend to use LineageOS or Graphene on any Android smartphone. Use RethinkDNS [1] as firewall and AppWarden [2] to identify spyware.

You can also double check the reports page of the exodus prvcy project [3].

[1] https://rethinkdns.com/

[2] https://gitlab.com/AuroraOSS/AppWarden/-/releases

[3] https://reports.exodus-privacy.eu.org/en/

solarkraft4y ago· 1 in thread

Most hardware manufacturers can not be trusted with software at fucking all. Apple seems to be the only exception.

Hardware and software need to be distributed separately (see personal computers), which could also solve some issues with updates. Treble is a good but under-utilized step in between.

atatatat4y ago

> Apple seems to be the only exception.

Nah.

foxes4y ago

Apple’s walled garden keeps out the hordes of adtech shovelware barbarians.

j / k navigate · click thread line to collapse