261 comments

[ 3.4 ms ] story [ 93.6 ms ] thread
> Disguising itself as the innocuously-titled “Android Developer Verifier” (ADV) process, this trojan horse runs surreptitiously in the background as a system service with full root privileges, quietly awaiting an activation signal. The service cannot be blocked, disabled, or removed. Unlike a commonplace bit of malware, this extraordinary strain won’t be detected and neutralized by Play Protect (the malware scanning and remediation service that is installed on all Android Certified devices). In fact, Play Protect is itself the vector through which this virus is transmitted and installed.

> That is because it is Google themselves who is propagating ADV. And once activated, this malevolent process has exactly one goal: to block you from running software by developers who haven’t been approved centrally by Google.

The rest of the article is a claim that Google's new terms of service amount to "malware is any software we [Google] don't like."

It seems like Google is aiming for its own walled garden.

> How long before they designate all ad-blocking software as malware, block installation on all Android certified devices worldwide, and permanently designate all developers of this class of software as malware creators?

Classic slippery slope fallacy.

https://en.wikipedia.org/wiki/Slippery_slope

History shows that when a "slope" appears... regulation steps in, technology evolves to solve the problem, or the culture shifts to reinterpret the thing.

In almost every case, the feared "bottom" of the slope was never reached because humans constantly built ramps or bridges along the way.

Just look at the world around you, the slippery slope "fallacy" stopped being a fallacy long ago.
I don't know which timeline you live in, but in mine I've stopped counting how many slippery slopes ended up exactly where the critics said they would.
My Android 15 handset doesn't have com.google.android.verifier process. It could be a Ulefone thing. They're especially pro-user (ex:root friendly).
I understand the frustration (I'm an avid fdroid user across many many devices). But this article comes off as childish with the virus/trojan/"malware vendor".

With such an article, many (including perhaps google) get the ammo to disregard what fdroid says, by branding them as childish/not to be taken seriously. for eg: no reputable news org is going to post this.

PS: https://keepandroidopen.org/ is better done.

The article provides enough evidence for that label. Unlike Google, who can arbitrarily call anything "malware". This is the contrast the article attempts to point out.
I don't understand how this is legal in the EU under the DMA, does anyone know?
This is arguably required by Article 30 of the EU Digital Services Act.
The same way Apple is allowed to do it presumably.
It's not.
Oh? I'm not familiar with any fines or ongoing cases against Apple in the EU over their implementation of alternative app store support.
Why would they get a fine for complying? You can install alternative app stores on iPhone perfectly well.
Apple also still requires all apps that go through their app store to be signed through their mechanism and retains the same ability to banish them.
I use Android because it lets me install whatever I want on my phone, which it does not seem to me, controversial. The phone is either mine or it is not. I don't want Google's protection. Particularly, if I can't refuse it.
That's a nice digital content you have there. It would be a shame if something happened to it...
When a company does something that seems to be out of The Godfather...
Android users need to switch to Graphene.

Someone needs to create a Linux based mobile OS foundation - Google's domination is contrary to many large companies interests, and if Meta and many other such companies were approached, they may well donate large sums of money in their own strategic interests.

The reality is that these types of problems affect too few people to matter. No appreciable amount of people will switch, or are even capable of it. And even if you made it a no-brainer, most people aren't going to change the OS that came on their device, warranty or not.
> Linux based mobile OS foundation

AOSP is a Linux-based mobile OS. It runs fine on top of standard Linux kernels without downstream changes. Getting rid of the need for closed source userspace drivers for components like a modern Mali GPU can be done with AOSP and will benefit the most people that way. AOSP if many companies and others band together to do it. It could also happen due to government intervention due to Google's antitrust law violations, but that could be done poorly in a way that harms open source.

This would be the line for me. If at some point I'm unable to build an .apk and install it on my phone without Google letting me, I'm moving to Huawei.
If you're building the APK, you're probably installing via ADB, in which case none of the changes apply
I understand not being happy about what Google is doing, but it seems like F-droid can’t be trusted not to heavily spin things.
I think the most fun part with Google is that if some wayward algorithm decides it doesn’t like you, along with nuking your app and developer account it will probably nuke your 20 year old gmail, your kids Google Drive accounts, your wife’s YouTube premium, the Adsense account of some company you worked for in 2008, and disable your Nest cameras.

And you’ll never reach a human to sort it out.

One of my best friend has a Jolla phone.

He never had WhatsApp. He refuses to use google. Only till recently he started using signal. He has been using an old Nokia phone till he was forced to upgrade by his operator. He is European and here in Europe WhatsApp dominates. Despite all that and having a very social life, driven by work, he manages.

I recently ordered a Jolla phone. I don’t want to know about android. I might tolerate iOS. But shelling thousands of $ for a phone that is controlled by an external company…

I am looking out for messaging alternatives. I am at a point where I think linking your identity to a phone number is not right either.

Let’s say we should all wake the fuck up. This is not right. Having a phone with such spyware is a potential attack vector I don’t want to have on the most important device I own.

It's all good until your European bank starts requiring unrooted Android and iOS for their mobile banking app, then tries to force you to use that app instead of letting you sort things out at their building. Then the government starts requiring you use unrooted Android or iOS to sign into their website for administrative tasks, and so on.
The endgame is that I will keep a phone in a drawer next to a 20 yo hardware token I still use to access a bank. When on the move, we will see.
If that ever happens (what am I saying we all know it’s happening). Then just a phone in the drawer I use it just for such administrative tasks.
Right, until you have to use a mobile app to pay for parking or validate your bus/train ticket and so on. Yeah, "I can use my physical card", for now. Long-term we need a better solution that keeping an extra up-to-date phone.
Not sure Jolla deserves to be trusted, you'd be much better off with GrapheneOS. In any case, try out SimpleX for a messenger. You can also take a look at https://xn--gckvb8fzb.com/an-overview-of-privacy-focused-dec...
Thanks for SimpleX it looks like a great solution for a longstanding problem.

Why would you not trust Jolla? It was born from Nokia employees. GrapheneOS is a great alternative. Still Android though.

That happened to me, lost 16 years old gmail account, which is my main account for my digital life. It happened after I disabled some tracking, and Google was no longer able to recognize me, even though I had my phone number registered, it was not enough.
I suspect this will happen to me soon, though all I do with it is occasionally sign in just to keep it registered. It now refuses to log me in unless I am on a specific IP address, no matter how many MFA steps it requests and I pass.
Same. Lost my 2004 Gmail because they silently enabled 2FA and the phone number on the account is a long lost one. I have the username/password and the recovery email is set to me. The account also forwards all emails to me, so I still get the mail, but I can't log into the account.

Not yet found someone to do a SIM swap for me and get the 2FA code...

I've seen multiple stories of people buying phones from Fi, the phones never arriving, google refusing a refund, and on a chargeback, their entire google account gets shut down.
Holy crap that is scummy.

I still use 2 Google services, of which neither would crumble me if lost (YouTube, and my old email which now acts as my spam inbox). I have lost accesses before, when I was still partially dependent, and had to give up my privacy to get access again, long enough to get off. It sucks but I do consider myself lucky that I was able to prevent the life crushing consequences that some people have had. Such a terrible company.

You go self-hosted and try to stick to real small alternatives, subset of technical standards, etc.

I am not a US citizen, but a EU one (well, since we have seriously rogue and toxic EU states, I dunno how long it will last).

And guess what, the handling of the issue of technical interop for administration online services is done... at the top of the top of the political power: in my EU country, only the president and prime minister do define it. Yep, you read well, it is THAT MUCH important: parliament, no power over it, 'technical authorities' have actually no real power over anything, etc. It requires the same level of power than deciding to make more nukes.

Basically, in 2015/2016 our president/prime minister at that time literaly gave all the administration (and dependencies) online services to big tech (a technical document which is basically 'law' with a content 'opening the gate' for big tech). Well, I say 'they gave it', but they could have 'sold it'... we have a department in our DOJ to monitor past politicians who could have set up some public money channels in order to benefit from it, often indirectly, afterwards. The following president and prime ministers did change nothing... how deep the rabbit hole goes? Brain washing via hardcore lobbying? Corruption?

IRL, you had country administration related web sites, working more that fine with "any browsers", small and big, citizen made, small company made, now it is over, they were all broken for web apps which do work only with whatwg cartel web engines with their abomination of "computer language" requiring an even worse SDK. Same with file formats.

There is light though, if this document of technical 'law' is properly modified, the whole administration and dependencies have 3 years to restore simple web sites and support minimal and subset of file formats.

This is exactly why I’ve moved to paid email and smaller company alternatives for important stuff like this. I’ve had family members lose Google accounts and have no recourse (of course, doesn’t help that their recovery settings were miserable and they can’t keep track of passwords to save their lives).

It’s also why I stopped tolerating iCloud Photos’ extreme levels of abstraction, because it makes backup impossible.

If you want recommendations, here they are:

Paid email: take your pick! Once you get your own domain, the provider behind it is interchangeable.

Photos: Ente photos has been great, and I run the desktop client in the background on my desktop to do the automatic export to my own NAS storage just in case the company goes under. You can actually reach a human there as well.

Cloud storage: Filen is what I would currently consider my least bad option for having Linux desktop support, coming in at a low price, and having the ability to easily sync to NAS. When they finally get global search working on previously uploaded files it will be much less of a pain to deal with.

Password manager: take your pick, I think it’s important to use a third party one that doesn’t depend on your big tech account. But also don’t use LastPass, it sucks.

Notes: I’m enjoying Craft so far, though Zoho Notebooks checks all the boxes I need at a lower price. But Craft is nicer. I have yet to need a paid plan, though.

I would strongly advise using your personal account to access the developer-side of the Play Store.

No, these services shouldn’t all be bundled under a single account…

To avoid this, I tried to close my Google Play Developer account. A decade ago I published a free app on it, which was online for half a year.

It was to no avail. They will not close the account.

I received only automated responses about bringing my old app into compliance with current policy, to then transfer it to another developer account.

Only then would Google graciously allow me to close my Developer account.

Meanwhile, private Google services charge me the wrong prices, because I have a Payments profile in another country. It is associated with a Merchant account, which is linked to the Google Play Developer account.

The support concluded that this can also not be closed, and that I should close my Developer account first.

It's hell.

wonder what that app was for
Gotta move to the EU and sue based on right to be forgotten
Suing a company will almost certainly result in them exercising their right to not do business with you and shutting down all your accounts - exactly what OP was trying to avoid
In some EU countries - it could be seen as retaliation if you sue for something and then Google closes your accounts, some EU countries have strong protections here.

More importantly for Google though it's under extra scrutiny under the DSA at the EU wide level - so it doesn't have a clear right to not do business, it has to do terminations correctly with clear reasons set out in terms, there are mandatory notice periods etc.

Which countries have that?
Let us know how that works out for you!
really? I have to keep making useless updates (just a version number bump) on one of the accounts i manage, because i keep receiving thread emails every 6 months that the developer account sees no activity and if i don't do anything they will remove and close.

that app is a done project and need only to be udpated when the target SDK becomes too old for the play store

Yes, unfortunately that has not been the case for me, my account is still active.

My app has already been removed when they added the Privacy Policy requirement for the Advertising ID, where I did not update the app.

It's not just google. Try removing an unpublished but uploaded iOS app. Wasn't possible for decades and I guess it still isn't. You eventually could hide them. The only way to remove it was to publish it, but that requires app validation, which a failed app is not suited for.
I tried to close my account, and got the response. But they closed it when I failed to verify it.
Yep! One way, or another, we gotta' get people out of the system.
The vulnerability of your Google identity is terrifying.
I tried recently to create dev. account. I have not yet been successful. It is a painstaking process.

I had to submit my ID, my phone number, email.

Then to verify I had to give my address. They rejected my ID twice, so I had to submit driving licence.

I am several weeks in, and could not even produce a single app.

Their algorithm already rejected me, for no obvious reason.

This almost happened to me 4-5 years ago. I don’t recall every detail but right around the time I was deep into a new job interview process, Google Pay decided it needed to verify my identity. It may have been triggered by one of my cards expiring but I don’t think I had ever used the service to actually pay for anything at that point and just had a card saved. Anyhow, I was almost immediately locked out of my primary email account as well and got delayed in sending documents to the potential employer and had to explain that I got locked out of gmail. Unfortunately, I didn’t learn my lesson and still use that gmail account as my primary email but I did at least open alternative accounts on other cloud providers.
This is why I don't mess with any of Google's AI offerings right now. Losing access to my Gmail (technically a google apps for our domain) account would be devastating. I think the risk that some google ai decides I'm abusing their ai and bans me is too high.
This has been known for quite a while; when I published an Android app ~10 years ago I saw lots of people advising you to create a separate Google account to publish apps under, because a robot can just terminate your entire online identity for the crime of trying to contribute to Google's app ecosystem.

I left behind Android and as many Google services as I could in 2020 and so far I've only been more vindicated with that decision over time.

Leadership at Google should face prison time for this sort of practice. We wouldn't accept it in the physical space, so why do we accept it cyber space?
Have a friend lawyer that will send them a proper letter. They will take you seriously that way. And if you live in EU, use GPT... Actually, use Gemini (!) to craft another great response invoking a number of articles etc that they are in violation of.
I'm still a little bit confused why the EU does not take action in this. This is definitely a monopolist overreach which has to be shutdown from the beginning
What Google is doing is shameful. One of the promises of Android was being more open than the restrictive Apple ecosystem.

Now that they reached penetration they do the switch - under the guise of security.

Just let me do with my hardware what I want to do it. Let it be my responsibility to install whatever I want (and stop calling it "side-loading", as if I am doing something shady from the "side").

We need to resist this! Alas, from the broader response it seems that most people just do not care.

Epic games sued both Apple and Google for anti-competitive behavior.

Apple was found not guilty.

Google was found anti-competitive.

In the appeal, Google asked the judge why Apple wasn't anti-comptitive and the judge told them that Apple wasn't anti-competitive, because there were no competitors on their platform to compete with.

Google lost the appeal, an inflection point in tech was created, and Google wondered why the hell they tried being open when xbox, playstation, nintendo, apple, all get to do whatever they want on their closed platform.

It's incredible how little coverage that ruling gets despite how damning and detrimental to tech it's implications are.

This is not malware. It's an official part of Google Play Services.
it is malware when everyone is explicitly asking to not have it.
(comment deleted)
I just launched an app in the Google Play Store. I did find it a bit weird that I had to provide my physical home address to get my app listed. Not sure what I would do if someone turned up to complain. Make them a cup of tea?
You should not distribute apps via the Google Play Store. Using alternative means, including F-Droid as relevant. And it was a mistake of you to register, because you're helping Alphabet exert more pressure and control on others.
Does this mean that apks that i've built and installed through adb will stop working? That would be a real damn shame.
> In computing, a trojan horse or trojan is a kind of malware that misleads users as to its true intent by disguising itself as a normal program. [1]

Google is Trojans all the way down. What is the true intent of almost every Google product? Data harvesting.

Every single product is spyware of some kind. They've even managed trojanize TVs by subsidising manufactuers to ship their spyware.

[1] https://en.wikipedia.org/wiki/Trojan_horse_(computing)

I've already disabled Play Protect ages ago because it kept removing apps I had installed through F-Droid. Actually, I almost only install apps via F-Droid. I wonder if the ADV will install with Play protect disabled ?
The frustrating part is that security features often look like malware from a technical perspective. The intent is different, but the capabilities can overlap.
This kind of speech will only go with fellow technical users, most folks buying phones at the usual phone operators won't care less.
This is more than enshittification, it feels like purposeful brand destruction.

Are governments going to institute more lockdowns? Is this some topdown control thing?

I will root this POS android phone I have and forego any Google Play services and just use it as web browser and a phone. Fuck these guys!