16 comments

[ 4.4 ms ] story [ 58.9 ms ] thread
I am curious if never logging in to Google while using an Android precludes one from being susceptible to this. Generally you are unable to reach or interact with the app store without first registering a Google account on the device, and accepting various EULAs.

EDIT: Thanks to the commenters below, it appears not participating in the app store ecosystem does not safeguard someone from this. Quite concerning.

Reddit comment explains that the software that handles app sideloading gets preinstalled by carriers: https://www.reddit.com/r/androiddev/comments/q4nltn/comment/...
So does this mean that if you purchase an unlocked phone directly from the manufacturer rather than your service provider, you shouldn't have this problem?
Or any device with an unlocked bootloader that supports popular custom firmware like LineageOS, GrapheneOs, or CalyxOS.
Doesn't look like it, this is using the "On-Device Platform" by Digital Turbine, which is used to preload bloatware onto phones. It's pre-installed on many phones for ad money.

Based off the "SingleTap" demo video, it even works in a browser on an ad, which is a bit scary.

According to the partners list, phone/provider brands affected are: Verizon, At&T, Samsung, LG, Xiaomi, Motorola, Panasonic, Acer, T Mobile, Cricket, US Cellular, America movil, Tracfone, Telfonica and Tim Gruppo Tim.

In addition to the sibling commenter: AdMob SDK had support for ultrasonic data exchange for a while now, and it's heavily used in Europe while TV ads are running.

Safeguarding your phone from network communication wouldn't be enough, as you would have to prevent audio communication as well - which kinda defeats the purpose of it being a phone.

I'd recommend to use LineageOS or Graphene on any Android smartphone. Use RethinkDNS [1] as firewall and AppWarden [2] to identify spyware.

You can also double check the reports page of the exodus prvcy project [3].

[1] https://rethinkdns.com/

[2] https://gitlab.com/AuroraOSS/AppWarden/-/releases

[3] https://reports.exodus-privacy.eu.org/en/

The fact that Apple doesn’t allow (non-Apple) pre-loaded bloatware on iPhones is probably the number one reason I’ll never switch back to Android.
(comment deleted)
Google-based Android. I'm switching from iOS to an ungoogled Android distribution sometime this year due to the iOS spyware that's coming out in 15.x.

I also can't install any apps on new devices without giving Apple an email and phone number, which is its own kind of bullshit.

You could use some GrapheneOS in your life =] Not all Android is Googley.
Unless you have a second phone with a proper Os I wouldn’t even suggest using any unlocked phones, banking apps and other daily use apps for common people just wont work.
afaict this could not happen on an unlocked Android phone
What do mean unlocked? This can happen on any phone the OEM chooses to load malware on.
To TL;DR the discussion: Some Android manufacturers/carriers include a software package by a company called Digital Turbine, which allows automatic installation of apps through a single click on an ad. It’s not a feature of Android itself (I initially thought it was an add-on to instant apps).

It‘s not like I needed another reason to hate the common Android ecosystem, but here we go. I maintain that there’s no way you can legitimately trust your phone manufacturer’s software. The incentives are just too misaligned. You have to use a third-party ROM like LineageOS (which has its own issues).

Most hardware manufacturers can not be trusted with software at fucking all. Apple seems to be the only exception.

Hardware and software need to be distributed separately (see personal computers), which could also solve some issues with updates. Treble is a good but under-utilized step in between.

> Apple seems to be the only exception.

Nah.

Apple’s walled garden keeps out the hordes of adtech shovelware barbarians.