There's been a considerable amount of confusion today surrounding Samsung smartphones, the Google Play Store, and a previously benign app specializing in email for Russians. A bunch of Galaxy-series phones have inexplicably had "МТС Мобильная Почта" (Mobile Mail) from QJSC Mobile Telesystems installed on their phones via a Google Play update without ever seeing it before. What's even more concerning is that the app can't be uninstalled, and there's no explanation for affected users.
If you're reading this and immediately thinking someone's hacked your phone... well, you're kind of right. Here's how this happened: every Android app has a unique identifier under which it's installed. For example, Angry Birds Space is installed under the system name com.rovio.angrybirdsspace-1.apk. The identifier for Samsung' s proprietary mail app is com.seven.27. For whatever reason, the Russian email app chose the exact same identifier when uploading to the Google Play Store. The Google Play Store noticed this "new" app installed on thousands of phones, and pushed the "update" to the Samsung phones running the proprietary mail app.
Some of the folks at XDA have been taking a good look at the app itself, and concluded that it's harmless. Relax: your bank account numbers are not zipping across the Internet to some shady shack in Siberia. That still doesn't explain why the developer chose that particular install name in the first place. Did they know that they'd be getting installed on thousands of Samsung phones automatically? Was it an extremely specific goof, with someone copying the name of an essential Samsung app without realizing it? Neither Google nor Samsung have commented thus far.
In any case, this little fiasco has illustrated a couple of weak points in Android' infrastructure. One, the Google Play Store can get a little overzealous with its automatic update procedures, and has a definite security hole when it comes to app file names. And two, it demonstrates just how essential an necessary it is for users to be able to uninstall or otherwise disable native apps. If you're one of the few people running the official version of Ice Cream Sandwich on the Galaxy S II, you can simply disable the app. Wouldn't it be nice if everyone could do that, eh Samsung?
[via The Verge]