Back

A new Android malware from Google

365 points8 hoursf-droid.org
transcriptase4 hours ago

I think the most fun part with Google is that if some wayward algorithm decides it doesn’t like you, along with nuking your app and developer account it will probably nuke your 20 year old gmail, your kids Google Drive accounts, your wife’s YouTube premium, the Adsense account of some company you worked for in 2008, and disable your Nest cameras.

And you’ll never reach a human to sort it out.

avaer3 hours ago

The blast radius is far worse than any "malware" Google could protect you from.

TFA is playing it up, but it is arguable that this is a real virus, except the shady hackers are Google.

techpression3 hours ago

We experienced this with Anthropic, not the same blast radius obviously, but out of nowhere account was terminated. No support available. It was via someone’s 30+ year old classmate via LinkedIn the account got reinstated.

As a counterpoint to the right to the repair there should be a right to recover.

Gigachad3 hours ago

There was a more direct case where someone’s child had been interacting with Gemini inappropriately resulting in Google nuking the entire families Google accounts.

bayindirh2 hours ago

I still remember how uploading photos of man's own child created the catastrophic chain of events.

Kicker? The photos were requested by a doctor.

Ref: https://www.koffellaw.com/blog/google-ai-technology-flags-da...

techpression2 hours ago

That’s quite insane, especially considering how Google is pushing Gemini into every single product.

m00dy4 hours ago

it's a nightmare.

linuxhansl4 hours ago

What Google is doing is shameful. One of the promises of Android was being more open than the restrictive Apple ecosystem.

Now that they reached penetration they do the switch - under the guise of security.

Just let me do with my hardware what I want to do it. Let it be my responsibility to install whatever I want (and stop calling it "side-loading", as if I am doing something shady from the "side").

We need to resist this! Alas, from the broader response it seems that most people just do not care.

ankurdhama2 hours ago

AFAIK you can still install any random APK but the process will require enabling developer mode and one time 24 hour wait period. But the problem is many stupid Apps check that developer mode is on and refuse to work.

sscaryterry3 hours ago

This is worse than Apple. With Apple you knew where you stood day 1.

pjmlp3 hours ago

Ah so the Do No Evil wasn't serious after all?! /s

zx80803 hours ago

It was indeed! And Google removed it in 2018.

- https://en.wikipedia.org/wiki/Don%27t_be_evil

frollogaston2 hours ago

"Don't be evil" would be some evil company's motto in like Lego Movie 3

frollogaston2 hours ago

[flagged]

avra3 hours ago

> We need to resist this!

I agree. What do you suggest? How can we contribute to the resistance?

Arnt2 hours ago

This started with phishing, poor people being tricked to install apps that then drained their bank accounts. So to resist, maybe focus on that evil? Better international cooperation, better prosecution?

stymaar2 hours ago

> This started with phishing

It didn't.

Phishing is just a pretext. Google didn't care about Phishing for the first 20 years of Android. Why do they now? Because it serves as argument to close their platform a little more (which is a trend that has been going on for years).

frollogaston2 hours ago

I do think it's about Google trying to squeeze profits out of Android, but is there more direct evidence of this? Cause I always have to wonder if it's something else like KYC/WEF.

iririririr2 hours ago

or how about don't allow government and banks and telcos to use abusive apps to provide essential services?

those people fall for this because for everything poor people do, they need an app that is provided by sleazy vendors and that require tons of permission, and face scan and what not. they were primed so those business could save in operating costs.

that's the problem. won't solve it with slightly less sleazy vendors.

mschuster912 hours ago

We can't even get India and Turkey sanctioned for evading the anti-Russian sanctions... good luck holding them accountable for the scam callcenters.

altairprime3 hours ago

Shame isn’t an applicable concept for a corporation.

nehal3m2 hours ago

Maybe we need an economic system where it is. Shame should come packaged with legal personhood.

altairprime2 hours ago

Better to pass state bills modifying all of that state’s articles of incorporation to compel adherence to B-corp standards.

stymaar2 hours ago

Shame has ceased to be an applicable concept for anyone “important” enough to get free media attention.

khurs4 hours ago

Android users need to switch to Graphene.

Someone needs to create a Linux based mobile OS foundation - Google's domination is contrary to many large companies interests, and if Meta and many other such companies were approached, they may well donate large sums of money in their own strategic interests.

throwburn2026052 hours ago

GrapheneOS is currently the blessed child. Like CyanogenMod previously. They are "permitted" to access to Google Play Services because their work hardening Android currently benefits Google.

Once Google feels like there is sufficient stability and compatibility with hardened memory allocator and tagged memory (and when they can get Qualcomm to support it across their range), they will make harder, until impossible, for Graphene.

An old article [1] but:

> Google’s Android—and [Open Handset Alliance] members are contractually prohibited from building non-Google approved devices

So to compete you'd have to create a compatible Google Play Services as well as find a supporting manufacturer. Samsung managed their own competing apps and store [2] for a while along with Tizen, likely for leverage or theoretical pivot. But has since dropped that effort.

[1] https://arstechnica.com/gadgets/2018/07/googles-iron-grip-on...

[2] https://arstechnica.com/tech-policy/2021/07/google-bought-of...

hulitu2 hours ago

> Android users need to switch to Graphene.

Which supports only Pixel devices.

dryarzeg3 hours ago

> Android users need to switch to Graphene.

Doesn't GrapheneOS supports only Google Pixel smartphones now? For most of the users, that would mean changing their phones beforehand. And if we're talking about common people (especially not in US), it's not even everyone who can afford that. Moreover, in my opinion, by buying Google phones you're feeding Google, and I, personally, would like to avoid that.

khurs2 hours ago

Yes but they have signed up with Motorola so that is changing

https://www.androidauthority.com/grapheneos-motorola-partner...

preisschild3 hours ago

> Doesn't GrapheneOS supports only Google Pixel smartphones now?

For good reasons. Most other devices arent secure enough to guarantee privacy. Especially not if loaded with a custom operating system (most devices don't allow to verify the boot chain with a custom OS)

> And if we're talking about common people (especially not in US), it's not even everyone who can afford that.

You can get a new Pixel 9a here in europe for around 350€ and it will be supported at least until April 2032

> Moreover, in my opinion, by buying Google phones you're feeding Google, and I, personally, would like to avoid that.

Google phones are surprisingly open and work well. Google takes a pro-user stance here that is extremely rare in the ecosystem, so why not support this product?

spaqin2 hours ago

It's alright, whatever the reasons might be, but let's not pretend there are no other ways out. I'm content with newest LineageOS on my 7 year old mid-range Xiaomi. I don't mind the loss of privacy guarantee. I don't have to spend any extra 350 euros and lose the headphone jack in the process.

secult2 hours ago

So to avoid google's android I buy google phone to not run android?

Forgeties792 hours ago

> Google phones are surprisingly open and work well. Google takes a pro-user stance here that is extremely rare in the ecosystem, so why not support this product?

Because they will pull the rug here one day too. Why on earth should we trust them to keep this approach to their hardware?

cadamsdotcom2 hours ago

Don’t defeat yourself in a one person battle.

After all, it might rain tomorrow - but you should still go outside today.

aquariusDue3 hours ago

I keep hoping for something more radical like Jolla and SailfishOS taking off or postmarketOS becoming a true viable alternative but as things are looking like now there's a better chance we'll ditch phones altogether in 10 years when smart glasses will replace them instead.

pbmonster2 hours ago

> we'll ditch phones altogether in 10 years when smart glasses will replace them instead.

Billions are spend right now to make sure the glasses also run Android or iOS. So far, Google, Samsung, Magic Leap, RealWear and Vuzix are working with/on Android XR, and obliviously Apple is working on AR/VR iOS.

Meta and a couple of smaller startups are doing something in-house, but I don't give them much chances to get an ecosystem going.

DaSHacka3 hours ago

Honestly don't think that would be so terrible, with how bad and locked down the mobile ecosystem has gotten.

Rolling the dice on a new technology could wind up being much more favorable.

GuestFAUniverse2 hours ago

What /new/ technology? The basically same platforms. Just smaller phones with more cameras recording everybody without consent.

kalx4 hours ago

I tried. But then I didnt get access to essential services like banking and national resources.

AlexAltea3 hours ago

FWIW, I submitted an EU DMA complaint (Art 27 report) against Alphabet for unfair gatekeeping against third-party distributions like GrapheneOS via Play Integrity. More info: https://github.com/AlexAltea/blog/blob/master/posts/2026-06-...

Convincing developers, especially bank and gov apps, is near impossible and won't scale well. Going after Alphabet for not meeting DMA obligations seems the easier path. Might not go anywhere but worth a shot.

frm882 hours ago

Is there something we can do to support your efforts?

AlexAltea2 hours ago

Only two things come to mind:

1. Provide or find pro bono legal resources deeply familiar with EU DMA and similar antitrust regulations, willing to proof-check and improve this report, and perhaps advise on better channels to submit it.

2. Locate more affected end-users, including applicable members of the GrapheneOS Foundation and developers behind other distributions, make them aware of these efforts so that hopefully we submit a joint complaint. (Might get more traction, though AFAICT reporting is limited to EU citizens).

Happy to fork this into its own repository if it helps with collaboration.

preisschild2 hours ago

> Convincing developers, especially bank and gov apps, is near impossible and won't scale well

Not impossible though, my bank and govt eID app did do safetynet, but after enough users complained in both apps you can now skip a warning and use it without issues

zerof1l4 hours ago

Graphene OS user here. Almost all of the apps I tried work fine. All the banking apps I use work. Have you tried reaching out to the app developer or the service and explaining what Graphene OS is and asking them to support it? I was able to persuade one app to do it.

[1] https://privsec.dev/posts/android/banking-applications-compa...

kalx3 hours ago

Problem is that all banks require a national centrale controlled service for login (BankID in Norway). And it is this service that I cannot get to work running GrapheneOS. It worked a couple of months ago, but not anymore. And all customer services and complaints are directed to your bank who 1) has no idea what i am talking about and 2) no control over BankID verification requirements.

LadyCailin3 hours ago

I’ve nearly decided to switch back to the code brick instead of BankID app. It’s less convenient, but with the way things are going, I’m just not sure I want to exist in the digital world much longer.

kalx4 hours ago

Correction: i did get bank access. I just couldnt log into the bank without a google or apple controlled device.

feelamee3 hours ago

lol, this problem stopped me from installing GrapheneOS early. But now.. I removed banking apps by myself because my state require room them to collect phone fingerprint and access to location EACH time they opened. So... looks like now nothing stops me

Arnt4 hours ago

I know Graphene has innovative security measures, do you happen to know whether that includes anything wrt. phishing or social engineering?

(For those who haven't been following along: this whole affair started with phishing. People were social-engineered into installing an app and a little later their bank accounts were empty. A big issue in various poor countries.)

Aachen3 hours ago

That's one of its primary arguments: besides the hardening against exploits, they're considered such a safe OS because you cannot access your data either and give the wrong app root access. Everything lives in a sandbox. Whether not being able to grant full access to e.g. adb shell, Termux, or Restic is what you want is a personal choice, but it adds a layer of security against any malware that tries to get you to grant them root access

This is also the argument they use to try to convince app vendors to add their keys to the allowlist, because the app makers can trust that their DRM will be active (if Netflix sets a "no screen recording" flag, you the user cannot circumvent it by e.g. reading /dev/fb0). It should have broader compatibility than other FOSS Android builds (when running the officially signed version of course, you can't compile it yourself and expect such apps to run there)

kuschku2 hours ago

So it doesn't actually do anything to give control of the device back to the user?

One of the core tenets of truly free software is that I as user must be able to run, access, edit, and view everything.

jabwd3 hours ago

It is not an OS with bubblewrap, you can still mess up your privacy / security if you want to, that includes phishing and social engineering.

Aachen2 hours ago

Is anything bulletproof against the user signing away their data? I think the question was whether it has any measures in this regard, not whether it's impossible to get phished

preisschild2 hours ago

> do you happen to know whether that includes anything wrt. phishing or social engineering?

Yes. For example if you install an apk from an unknown source (like a random website via browser or messenger) it will warn you what you are about to do and what effects that has.

You don't need to block stupid behavior. Just make sure users are well aware of their actions as long as they actually read warnings.

xandrius2 hours ago

I would say Ubuntu Touch + a Fairphone. Graphene is too reliant on Google.

Pacers31Colts182 hours ago

I get it, but it really sucks that Graphene only works on Pixel hardware. I switched to Samsung with my last phone.

GuestFAUniverse2 hours ago

Korean manufacturers are even worse when it comes to privacy violations.

I use a Samsung too. The bloat, dark patterns and enshitification with every update are even worse.

hkgvk4 hours ago

The only reason I have not switched Graphene is because for reasons I do not understand, Graphene OS is very closely tied with Google hardware.

I bought a /e/os Fairphone instead.

defrost3 hours ago

Give it a year, we may have GrapheneOS/Motorola then ...

* (March 2026) Motorola announces a partnership with GrapheneOS Foundation - https://motorolanews.com/motorola-three-new-b2b-solutions-at...

cromka4 hours ago

Those reasons are explained clearly and openly. Ironically, your /o/OS is way less open than GOS on Google hardware.

gf0003 hours ago

It's because only Pixel devices have proper hardware security to build anything secure on top.

Timshel3 hours ago

Not really a solution at the moment if you do not want to give money to Google by buying a Pixel (hopefully the deal with Motorola will work).

Long term I would probably have more hopes in https://postmarketos.org/

cherryteastain3 hours ago

Buy second hand

preisschild4 hours ago

I wonder if it makes sense to create an independent hard-fork of AOSP in the future. But probably the only option to keep this somehow maintainable is to replace many android-specific components with other userspace linux components that are already well maintained (systemd, networkmanager, wayland)

kalx3 hours ago

Would this not require some control over the hardware? Which would be difficult for the FOSS community?

preisschild3 hours ago

maybe not, heck people reverse engineered apple hardware and implemented it in various FOSS driver stacks

But yeah, vendors maintaining their drivers upstream in FOSS projects would obviously make it easer

darig4 hours ago

[dead]

nusuth314164 hours ago

I use Android because it lets me install whatever I want on my phone, which it does not seem to me, controversial. The phone is either mine or it is not. I don't want Google's protection. Particularly, if I can't refuse it.

kalx3 hours ago

Well… you can run android without google? The problem is that essential security services require apple or google devices and you as a member of society need the security services.

Aachen2 hours ago

Yet on LineageOS you're not affected. It seems you can build Android that isn't affected by Google, at least if you're willing to personally adjust the code to do what you want. You'd have to get exceptionally busy before it's not recognisable as an Android distribution anymore

karteum2 hours ago

> Well… you can run android without google?

You can only run LineageOS on smartphones that allow unlocking the bootloader (which is more and more rare), and properly release the kernel source-code (many still don't, especially low-end MTK-based phones...)

realusername3 hours ago

Let's call them anti-competition services since there's nothing in these increasing security.

StingyJelly2 hours ago

We finally live in an age when I can tell a clanker that I want an app that does something that I need, connect the phone with adb and in half an hour have a working solution for my tiny problem while knowing little about android development. This is something google should embrace, not kneecap.

cryptonym2 hours ago

What's their interest in you building side-loaded apps instead of using their data hungry services?

sambuccid2 hours ago

It doesn't solve the current issue, but in case we don't manage to push back on this, some people might not know that there are various actual linux OSes for mobile:

- SailfishOS: still linux based and seems fairly community inclusive, but the UI part of the stack is closed source. Is the only one officially allowed to run android apps, via emulation. Has existed for a very long time, it's lightweight and I think the most stable/bug-free in this list.

- Ubuntu Touch: fully open source and community driven, it uses snap packages for security, you might be able to run android apps. Last time I run it also seemed fairly stable/bug-free.

- PureOS: fully open source and privacy focused. I think it's the only one that, released with the Librem 5, can avoid using proprietary blobs for interfacing with the hardware. Seems less stable than SailfishOS and Ubuntu Touch. You would need to buy a fairly expensive-but-old phone(librem 5) to run it.

- PostmarketOS: fully open source, focused on being lightweight and revive old phones, has a huge amount of phones it has been tested on, is based on Alpine.

- Mobian: mobile version of Debian, it's fairly new on this list.

There are many more linux mobile OSes, but as far as I know these are the main ones. There might also be some inaccuracies on this post, I tested some of these a long time ago, and I never actually run the last 2.

anilgulecha6 hours ago

I understand the frustration (I'm an avid fdroid user across many many devices). But this article comes off as childish with the virus/trojan/"malware vendor".

With such an article, many (including perhaps google) get the ammo to disregard what fdroid says, by branding them as childish/not to be taken seriously. for eg: no reputable news org is going to post this.

PS: https://keepandroidopen.org/ is better done.

econ5 hours ago

I thought the same thing but he apparently has a point. The stated purpose covers only a tiny sliver of the capabilities. The agreement points to the TOS where it (last time I looked) says service may be terminated at any time without stating a reason. Nothing guarantees it won't be used for things other than security. And finally he has a point where it also doesn't really do much for security.

If we ask their fine search engine, the AI helpfully explains malware to be software designed to gain unauthorized access to disrupt, extort payments and/or hijack devices.

If you still think the shoe doesn't fit, imagine what would happen if one managed to create an app with the same capabilities. Google would remove it immediately for being malware. Obvious malware.

r_lee3 hours ago

I'd usually say it'd be far fetched

but I can totally see Google banning developers and removing their apps for political reasons, where some lobbying group bombs them with emails

because with this they're explicitly saying they're now choosing who gets to be in or out, there's no way for them to say we can't do anything about it

I do think this would improve security, but I also think it's sort of a Trojan horse to lock down the ecosystem

nok22kon2 hours ago

> several Russian mobile apps related to the Russian internet company VK were deleted from the U.S. tech giant's App Store.

https://www.reuters.com/world/europe/kremlin-demands-explana...

nok22kon2 hours ago

nothing guarantees the Microsoft/Apple/Ubuntu/RedHat will not push an update through their infrastructure to delete some software from your computer

all OSes have malware level capabilities. it's literally the definition of an OS

kuschku2 hours ago

> Ubuntu/RedHat

That still wouldn't affect projects like Debian or Arch, but going even further, they can't push through updates anyway. Nothing forces me to install updates, it's an active choice to do so.

stingraycharles4 hours ago

Isn’t Google going to do what Apple has been doing since forever? Or is Google somehow doing something worse?

RobotToaster3 hours ago

I bought an android instead of an apple because I didn't want the kind of malware apple has always shipped with idevices

jb2824 hours ago

Apple's policies were established when you purchased the phone. Apps come through registered developers and their vetting.

Google has changed the game on something you already own. I'm sure their lawyers have done their homework, but in some jurisdictions this is certainly actionable.

+2
someonebaggy3 hours ago
0x534 hours ago

I think the point they are trying to make is that in the terms of service Google says they get to define what is malware (halfway through article) so the author is trying to point out that exact danger: what happens when Google gets to randomly call things malware.

realusername3 hours ago

I have the opposite opinion, Google is doing a lot of garbage in the name of "Security", time to play their game and report their control on Android as security vulnerability

gadders3 hours ago

I just launched an app in the Google Play Store. I did find it a bit weird that I had to provide my physical home address to get my app listed. Not sure what I would do if someone turned up to complain. Make them a cup of tea?

r_lee3 hours ago

well they can swat you, order pizza, send you packages (who knows with what inside), spread false info about you if you've given out more info etc...

all it takes is one guy who gets too mad for some reason

and it's gonna be a lot more costly for you to do anything about it vs. that guy who gets to be completely anonymous about it

gadders2 hours ago

Not sure how well swatting works in the UK, and pizza deliveries are all pre-paid.

But yeah, you could have a loony turn up.

Arnt3 hours ago

How? I don't see the address published.

They can sue you and Google will give your address to the court, clearly. But swat? Send packages? How?

gadders2 hours ago

You need to put a literal physical address and not even a PO Box is allowed.

wiseowise3 hours ago

Don’t know about US, but in EU you legally have to publish your address and it will be shown on the store page if your app has ads or in-app purchases.

Izkata3 hours ago

It's because of a law in California. Don't remember the reason behind it, but Google decided to apply it everywhere. It's also why I let my app die years ago instead of publishing the updated version.

someonebaggy3 hours ago

This is so that you can be sued or prosecuted if the app is malicious.

realusername3 hours ago

There's no such requirement for publishing a website

someonebaggy2 hours ago

There is - every server host does KYC and so does every domain registrar (by law). If you're found to have provided incorrect details, it allows them to immediately remove your server or domain without notice.

realusername2 hours ago

No there isn't, Google's requirement is to put that information publicly for everybody to see. That's not nearly the same thing as being available on court request.

With that policy, Google encourages stalkers and put developers in danger.

wolfi14 hours ago

I'm still a little bit confused why the EU does not take action in this. This is definitely a monopolist overreach which has to be shutdown from the beginning

hurfdurf4 hours ago

But they did. EU formally allows all these measures by Google in the name of "security" as described in Digital Markets Act Art. 6 (4) fourth paragraph.

https://www.eu-digital-markets-act.com/Digital_Markets_Act_A...

IshKebab2 hours ago

They're allowed to do it "to the extent that they are strictly necessary and proportionate ... provided that such measures are duly justified".

It remains to be seen whether the EU decides that this measure is strictly necessary, proportionate and duly justified. They sometimes do the right thing but I'm not getting my hopes up.

Aachen2 hours ago

They'd have had to start with Apple which is more locked down and has comparable market power. Apple fans (iirc like 30% of the voter population) already scream bloody murder when compatibility increases due to legislation and Apple pushes some marketing about how terrible this is

We've accepted that OS vendors can do this for decades. I think that was our mistake: relying on Google as the only available vendor. We can't make a law that punishes Google for having been open all these years. Yes, of course I (like any 'HN' hacker, I'd think) would be in favor of forcing Apple to be open as well, but then it seems that the powers that currently run the EU (and a lot of voters) kinda likes their remote DRM attestation for this digital identification project that you'll soon need for anything not suitable for toddlers and not reachable via a darkweb

FabCH2 hours ago

They did? There is the whole "alternative app stores" kerfuffle going on right now between Apple and the EU.

ajb3 hours ago

Indeed. I wonder if it falls foul of labour law. Blacklisting is illegal and whitelisting (certification) is normally done with multiple competing third party certifiers.

r_lee3 hours ago

this is something the EU would love, it's part of the whole Transparency thing where you dox yourself to everyone

HNers (especially Americans) are super naive and think the EU is some bastion of freedom. no. it just wants to be a huge nanny state but in a wholesome way, where you can do whatever you want as long as it's approved

bouncycastle3 hours ago

Does this mean that apks that i've built and installed through adb will stop working? That would be a real damn shame.

foxrider4 hours ago

This would be the line for me. If at some point I'm unable to build an .apk and install it on my phone without Google letting me, I'm moving to Huawei.

aerzen4 hours ago

Does Huawei not use android or Google play services?

animuchan4 hours ago

It's Android but without Google's services, there's an alternative app store.

The irony of Chinese vendors providing a breath of fresh low-DRM air.

aerzen2 hours ago

It seems like China is becoming the "freedom superpower" while USA is getting "corporate superpower" vibes. Huh

pjmlp3 hours ago

Partially true, HarmonyOS NEXT is its own thing, with a Typescript based language ArkTS.

https://developer.huawei.com/consumer/en/arkts/

And now they are adding yet another one, AOT compiled, Cangjie

https://cangjie-lang.cn/en

Using Android fork has been a transition step.

animuchan2 hours ago

Neat, thanks for this correction! Interesting, an entire new programming language.

Aachen2 hours ago

Low DRM? I looked at Huawei devices because I figured they'd have to sell them here super cheap because of this downside most Europeans people will even see as a showstopper ("how will I install my precious WhatsApp??"), but

- they're among the most expensive (I could afford that if needed though)

- they don't allow hardware unlock (ehh.. what's the point, then, if I get a locked-down device with Chinese surprises!)

animuchan2 hours ago

OK yeah I didn't know they stopped allowing to root. Normal levels of DRM then, my mistake, you're right.

tsimionescu3 hours ago

No, Google is barred from providing any services to them by the US government.

koolala3 hours ago

not like that no, some US carriers don't allow them though like AT&T blocks you to google or apple phones. for them only pixel supports a way out with graphene.

foxrider4 hours ago

No, they use AppGallery and HMS.

willtemperley3 hours ago

> In computing, a trojan horse or trojan is a kind of malware that misleads users as to its true intent by disguising itself as a normal program. [1]

Google is Trojans all the way down. What is the true intent of almost every Google product? Data harvesting.

Every single product is spyware of some kind. They've even managed trojanize TVs by subsidising manufactuers to ship their spyware.

[1] https://en.wikipedia.org/wiki/Trojan_horse_(computing)

3r7j6qzi9jvnve7 hours ago

related: https://keepandroidopen.org/ previously on hn

- https://news.ycombinator.com/item?id=47935853 (2 months ago, 889 comments)

- https://news.ycombinator.com/item?id=47139765 (4 months ago, 378 comments)

- https://news.ycombinator.com/item?id=47778274 (3 months ago, 68 comments)

WarOnPrivacy6 hours ago

My Android 15 handset doesn't have com.google.android.verifier process. It could be a Ulefone thing. They're especially pro-user (ex:root friendly).

EspadaV96 hours ago

Checked my Pixel 7 XL Pro and the app is installed and running (Version 1.0.866414232 com.google.android.verifier). I was able to force stop it, and disable it. Will check later to see if reenables itself.

Aachen2 hours ago

Ex means "example" here right? Or do you mean ex as in the dictionary meaning of ex, as in, "formerly"?

nsim2 hours ago

So, what's a good Linux tablet? I was thinking of trying an old Surface Pro.

johnathan1013 hours ago

The frustrating part is that security features often look like malware from a technical perspective. The intent is different, but the capabilities can overlap.

pjmlp3 hours ago

This kind of speech will only go with fellow technical users, most folks buying phones at the usual phone operators won't care less.

skybrian4 hours ago

I understand not being happy about what Google is doing, but it seems like F-droid can’t be trusted not to heavily spin things.

cuvert3 hours ago

If the companies would keep their own word and never overreach maybe nobody would overreact. How many times did we hear in the past "It's just for..."

skybrian3 hours ago

If companies play nice, people will stop making stuff up about them? I don’t believe that for a second, and it’s a poor excuse for making stuff up.

echelon4 hours ago

There is no spin here. Google is pulling up the ladder.

There won't be an open web, there won't be user installs, there won't be anonymity.

Everything will be identified, attested, and allowed only when Google permits it.

Nevermind them choking startups and small biz out of the oxygen they need to survive.

skybrian4 hours ago

What are talking about? Android Device Verification has nothing to do with what websites browsers can access.

Timshel3 hours ago
+1
skybrian3 hours ago
kuschku2 hours ago

Recaptcha already requires a Google-certified Android device today. That does heavily restrict what websites a browser can access.

RIshabh2352 hours ago

we need to create a new os

stavros4 hours ago

I don't understand how this is legal in the EU under the DMA, does anyone know?

pimeys4 hours ago

I already contacted the DMA authorities and complained how this has an effect on German diabetes communities and they replied that I am not the first one who approaches them on this and they are already investigating it.

Google is just trying how far they can push this.

sebastiennight4 hours ago

Do you have any pointers on how to find the correct authority and reach out? I'd like to inform my EU audience.

stavros4 hours ago

Excellent, I emailed them too but no reply yet. Yeah, given that we should be able to choose what app store to install, this seems wildly illegal.

hurfdurf4 hours ago

https://www.eu-digital-markets-act.com/Digital_Markets_Act_A... Art 6 (4). Read it to the end. That's how.

tsimionescu3 hours ago

I don't get what part of that your think enables them to deny access to third parties distributing their apps on alternate stores. If you're referring to the last paragraph, that very explicitly says that any such security must be an optional setting that is not default. So unless users opt into verified only apps, Google can't force that, according to the DMA.

hurfdurf2 hours ago

Maybe not, but reading their blog posts about ADV next to the DMA text, that's certainly the angle they are trying. And it will be years if it ever comes to a court hearing.

And the setting is "optional", just do the 24h-waiting song and dance to change it, or use ADB. /s

dwoldrich3 hours ago

This is more than enshittification, it feels like purposeful brand destruction.

Are governments going to institute more lockdowns? Is this some topdown control thing?

I will root this POS android phone I have and forego any Google Play services and just use it as web browser and a phone. Fuck these guys!

spwa42 hours ago

So wait ... Google intends to enforce this on old versions of android?

modzu2 hours ago

how is graphene these days, or is there a better alternative that can run map apps that depend on google play services (like waze)?

wazoox3 hours ago

I've already disabled Play Protect ages ago because it kept removing apps I had installed through F-Droid. Actually, I almost only install apps via F-Droid. I wonder if the ADV will install with Play protect disabled ?

slowmovintarget7 hours ago

> Disguising itself as the innocuously-titled “Android Developer Verifier” (ADV) process, this trojan horse runs surreptitiously in the background as a system service with full root privileges, quietly awaiting an activation signal. The service cannot be blocked, disabled, or removed. Unlike a commonplace bit of malware, this extraordinary strain won’t be detected and neutralized by Play Protect (the malware scanning and remediation service that is installed on all Android Certified devices). In fact, Play Protect is itself the vector through which this virus is transmitted and installed.

> That is because it is Google themselves who is propagating ADV. And once activated, this malevolent process has exactly one goal: to block you from running software by developers who haven’t been approved centrally by Google.

The rest of the article is a claim that Google's new terms of service amount to "malware is any software we [Google] don't like."

It seems like Google is aiming for its own walled garden.

mpfect2 hours ago

[dead]

selectively3 hours ago

[dead]

Rekindle80907 hours ago

[dead]

p0w3n3d4 hours ago

[flagged]

Rekindle80903 hours ago

[dead]

ranger_danger7 hours ago

> How long before they designate all ad-blocking software as malware, block installation on all Android certified devices worldwide, and permanently designate all developers of this class of software as malware creators?

Classic slippery slope fallacy.

https://en.wikipedia.org/wiki/Slippery_slope

History shows that when a "slope" appears... regulation steps in, technology evolves to solve the problem, or the culture shifts to reinterpret the thing.

In almost every case, the feared "bottom" of the slope was never reached because humans constantly built ramps or bridges along the way.

weikju7 hours ago

> In almost every case, the feared "bottom" of the slope was never reached because humans constantly built ramps or bridges along the way.

Perhaps it happens because the slope is called out...

Terr_2 hours ago

Much like the fallacy behind: "The Y2K bug was was a total hoax, you can tell because nothing much happened on 2000-01-01."

thinking_cactus4 hours ago

I alternate my thoughts frequently (which I believe is healthy), and sometimes I think we should let things take their course a bit more before reacting. It's certainly tiresome and can be pointless (some people claim 'hysterical') to fight lots of changes, not necessarily this one but some like it.

But I've come to realize there are serious downsides to letting things run their course too. Some changes are very hard to roll back (famous 'cat's out of the bag') just taking a lot of time to reverse if ever. For example, once there is a long term contractual agreement, if one parties decides to roll back they may just not be able to until the contract expires (like renting land; or worse, selling). A change in software systems for example that need backward compatibility can be quite difficult in technical and nontechnical ways.

I think people need to also keep some sympathy for the protests and let people protest more. I'm leaning more toward: if in doubt, provide visibility to a cause (even if not full support). It's okay to save yourself some energy (in particular for the most important causes). Some things might have to run their course for people to understand they were valuable, and we will probably have to eat some frogs as a consequence. Don't lose you sanity ;) (As the saying goes, "Don't you dare go hollow.")

aerzen2 hours ago

There is precedent of Google making changes in light of "security" that break ad blocking Chrome extensions. See chome extension manifest 3.

So this concern cannot be dismissed with just "slippery slope falacy", it's a new vector of the same power grab strategy.

ozgrakkurt4 hours ago

This is a useless argument since there is no way to measure what case is this and what is not.

You can say "Classic slippery slope fallacy." to whatever seems like that to you.

This is an antipattern to scientific thinking as you can frame something x and then say all x are like this, look I created this framework to think about x. But in reality there is no empirical basis for this thought. And it serves no purpose other than doing more argument or winning arguments.

In the end what you wrote equates to "I don't think all of this will happen".

Chaning many possibilities makes the outcome less and less likely obviously.

Also the same principle applies to most religions I know of, for example:

- Assume there is God

- Assume it did create universe.

- Assume x

...

Then this also fits the same pattern and be called the "x fallacy" but it is useless to create an argument like this. This is useless mainly because this thinking pattern is ubiquitous in any world view.

More productive discussion might be to pick some steps in the theory they chained together and argue on that imo.

RedComet3 hours ago

"or the culture shifts to reinterpret the thing"

Yes. You see it already.

"Actually it is good that I can't run programs that haven't been approved by Google on my own device."

dminik4 hours ago

Is it a fallacy if you've said before that Google is aiming to create a walled garden, Google itself has already started saying it wants a walled garden and they've already implemented several such steps?

charcircuit4 hours ago

This is not malware. It's an official part of Google Play Services.

ale423 hours ago

It all depends on how you define malware. If malware is software doing something that is contrary to the user's interests, then for many users it is indeed malware.

someonebaggy3 hours ago

Too much hedging in this comment.

Malware is something that maliciously breaks your computer.

This maliciously breaks my computer so it's malware. There's no difference between this and the ILOVEYOU virus, except the delivery mechanism.

spaqin2 hours ago

Can I install some software on your computer to send me over your bank details? It won't break your computer, I promise, it's not malware.

charcircuit3 hours ago

>this malevolent process has exactly one goal: to block you from running software by developers who haven’t been approved centrally by Google.

This claim is made by FDroid with no evidence. They make this scary claim which goes against everything Google has claimed so far. They are a biased party, and I can't trust their opinion. I would appreciate if they shared a more in depth investigation or a way to verify there big claim.

psd12 hours ago

Trust is not binary; we can process data with a level of confidence. We do not need either Google or F-Droid to be sanctified before we evaluate their claims.

The claim is that a repeat monopolist is doing monopolist things. Feel free to make the case for the trustworthiness of Google's opposing claim, as I don't see anyone else doing that.

notrealyme1232 hours ago

Google wrote their plans as blog posts.

charcircuit2 hours ago

But the plan doesn't include blocking developers who are not verified. You can still sideload such apps.

mdp20213 hours ago

The point is that it is said to tamper with your installations. If it does, it is malware.

charcircuit3 hours ago

It doesn't tamper with your installations.

Aachen2 hours ago

Oh? Maybe you could comment on what part of the f-droid article is wrong

psd12 hours ago

False

RobotToaster3 hours ago

Those are not mutually exclusive.

someonebaggy3 hours ago

Which is malware.