There’s been a considerable amount of confusion today surrounding Samsung smartphones, the Google Play Store, and a previously benign app specializing in email for Russians. A bunch of Galaxy-series phones have inexplicably had “МТС Мобильная Почта” (Mobile Mail) from QJSC Mobile Telesystems installed on their phones via a Google Play update without ever seeing it before. What’s even more concerning is that the app can’t be uninstalled, and there’s no explanation for affected users.
If you’re reading this and immediately thinking someone’s hacked your phone… well, you’re kind of right. Here’s how this happened: every Android app has a unique identifier under which it’s installed. For example, Angry Birds Space is installed under the system name com.rovio.angrybirdsspace-1.apk. The identifier for Samsung’ s proprietary mail app is com.seven.27. For whatever reason, the Russian email app chose the exact same identifier when uploading to the Google Play Store. The Google Play Store noticed this “new” app installed on thousands of phones, and pushed the “update” to the Samsung phones running the proprietary mail app.
Some of the folks at XDA have been taking a good look at the app itself, and concluded that it’s harmless. Relax: your bank account numbers are not zipping across the Internet to some shady shack in Siberia. That still doesn’t explain why the developer chose that particular install name in the first place. Did they know that they’d be getting installed on thousands of Samsung phones automatically? Was it an extremely specific goof, with someone copying the name of an essential Samsung app without realizing it? Neither Google nor Samsung have commented thus far.
In any case, this little fiasco has illustrated a couple of weak points in Android’ infrastructure. One, the Google Play Store can get a little overzealous with its automatic update procedures, and has a definite security hole when it comes to app file names. And two, it demonstrates just how essential an necessary it is for users to be able to uninstall or otherwise disable native apps. If you’re one of the few people running the official version of Ice Cream Sandwich on the Galaxy S II, you can simply disable the app. Wouldn’t it be nice if everyone could do that, eh Samsung?
[via The Verge]
Well. There is one thing that I don’t get…
Normally Android Apps (apk files) are signed. Android is preventing the update of an existing package if the signature of the update is different to the one used by the installed app.
This should normally make such an scenario impossible.
So what does lead to this bug exactly?
* Was the Samsung email app not signed correctly?
* Does the signature check not happen when updating an system app (scary situation!)?
Samsung Mail client and MTS mail client was made by the same software company. All apk was signed correctly but ID of app was not checked for duplicates.
Non serve fare wipe o reset!
Da fonti google:
Vai a Menu > Impostazioni > Applicazioni > Gestisci applicazioni.
Scorri fino alla scheda “Tutto”.
Seleziona l’applicazione “Google Play Store”, quindi tocca “Svuota cache” e
“Cancella dati”.
Per Gestione download, segui nuovamente i passaggi sopra elencati e al
punto tre invece di utilizzare “Google Play Store” usa “Gestione download”.
Tieni presente che prima di cancellare i dati dell’applicazione Google
Play Store, se hai impostato un codice PIN e/o un filtro contenuti sarà
necessario applicare nuovamente queste impostazioni.
Thusre ik ombquist it est omno.