[HN Gopher] Malware on My Android Phone
___________________________________________________________________
Malware on My Android Phone
Author : rossjudson
Score : 306 points
Date : 2021-01-11 06:51 UTC (15 hours ago)
(HTM) web link (www.beust.com)
(TXT) w3m dump (www.beust.com)
| ignoramous wrote:
| Ex-AOSP hacker here. I felt it strongly at the time too that
| Android didn't need anti-Malware [0] but I don't anymore.
|
| Some 5 years ago, I switched to Firefox Mobile out of annoyance
| because Chrome refused to block all those popups random websites
| would show with some prompting an app install.
|
| Google has since made a _lot_ of improvements including
| tightening up which apps can install other apps (not a blanket
| permission anymore), running the _Potentially Harmful
| Applications_ program, narrowing down fingerprinting (still some
| way to go as evident by TFA). Google is even locking the code up
| that runs _outside_ of Android in _crosvm_ s [1]. I'm positive,
| things will improve [2] even if slowly because Android, at this
| point, is the most widely distributed OS and they can't move as
| fast anymore without hurting developers and users.
|
| Google did implement what they call _AppOps_ (2013) which paved
| for tremendous amount of user control over app permissions. They
| removed _AppOps_ citing that it was never meant to be used by
| end-users but by _AOSP_ and app developers [3].
|
| Fortunately, if Android is rooted, one can use _AppOps_ [4]; but
| then rooting exposes one to an incredible amount.
|
| Besides, there are LittleSnitch-esque firewalls for both root and
| non-root devices [5].
|
| [0] https://arstechnica.com/information-
| technology/2011/11/mobil...
|
| [1] https://youtu.be/edqJSzsDRxk
|
| [2] https://android-
| developers.googleblog.com/search/label/Secur...
|
| [3] https://www.zdnet.com/article/google-removes-awesome-but-
| uni...
|
| [4] https://github.com/MuntashirAkon/AppManager
|
| [5] https://awesomeopensource.com/projects/android/firewall
| sloshnmosh wrote:
| Another problem is with the cheap Android devices that come with
| a preinstalled rootkit disguised as the firmware update app.
| (fota.apk)
|
| It uses LUA scripts to install apps remotely and can grant any
| app any permission and run as system level through reflection.
|
| The government funded LifeLine phones that are given to the poor,
| disabled and veterans are all infected with this malware.
|
| Here is an excellent technical analysis of the rootkit:
|
| https://wuffs.org/blog/digitime-tech-fota-backdoors
| alex_duf wrote:
| Oh I'm so glad this has been posted!
|
| I've been a victim of that specific malware and I was wondering
| how on earth did it happen as I'm usually careful enough when it
| comes to security. I also had the barcode scanner app. I didn't
| go as far as the author and I did a factory reset.
| gberger wrote:
| How is the average user expected to use adb and Android Studio to
| identify & remove malware from their phone?
|
| Android security is broken.
| literallycancer wrote:
| You are supposed to debloat all the malware that comes with
| your phone, courtesy of the manufacturer. If you are not
| capable of that, or don't care enough to have someone do it for
| you, you'll have to get used to ads. Annoying ads are
| considered a feature on stock Android builds.
| Daho0n wrote:
| Installing an app that pop-up ads isn't malware. The security
| model worked just fine.
| HenryBemis wrote:
| I've switched to Android (Huawei) 2-3 years ago (after the Apple
| battery fiasco). I keep installed (and updated) the NoRoot
| Firewall app, which by default blocks all access.
|
| I also added to my mix the Nova Launcher. It makes it easier to
| tap&hold an app icon, gives you a quick shortcut straight to the
| specific app's Settings --> Apps --> specific app's properties,
| in which I (usually) block access to data/wifi/roaming/background
| (e.g. for a QR Code reader app).
|
| 90% of my apps do not need to reach out to the interweb, and I
| block them both on Settings as well as Block Data/Wifi on NoRoot
| Firewall.
|
| Although Huawei is beeing Huawei-ing (some sneaky apps are
| running).. I do like the interface into "Manually" managing
| backround running (battery), internet access.
| vSanjo wrote:
| I'm not trying to be facetious or rude, but that seems like a
| massive decision against something that was largely fixed? I
| can understand if you had software-problems with iOS but I
| didn't see that in your comment.
|
| Managing those kinds of blocker apps, and security and such are
| all great when you're 'in the zone' and have it fresh at the
| forefront of your thoughts. For me, it only takes a week or so
| of not thinking about it before my standards slip and I have
| Just Another Application(tm) running.
| HenryBemis wrote:
| > you had software-problems with iOS
|
| I didn't have any probs with sofrware while using iPhones. I
| was jailbreaking them, installing a similar firewall and had
| my mind at ease. I would go to Apple in a heartbeat if they
| stopped lying and allowed rooted/jailbroken phones.
|
| It is nice to see that on a comment 95% on Android people
| still downvote me for (justifiably) trashing Apple. They got
| caught cheating. Then they got caught lying. Then they were
| found guilty. Apple fanboys are having a party downvoting.
| Fun fact: "HN karma" is virtual, while the $1k that they pay
| Apple every year is a REAL number. Keep rocking folks. I
| guess when someone spits on your coffee you downvote the
| commenter and keep going back to the same coffee place,
| right? (https://bgr.com/2020/07/13/iphone-batterygate-
| lawsuit-settle...)
|
| > and I have Just Another Application(tm) running
|
| this is absolutely normal/logical. A friend suggested the
| 7min workout by Johnson & Johnson. Nice app, free, has these
| simple 7mins workouts, also has warm-up/cool-down if you want
| the extra 7-8mins.. very nice. Loving it.
|
| It doesn't need internet connection to fully operate
| (workouts). I don't need it to "back up my progress in their
| cloud". So it stays offline (forever). It takes 1min when I
| install that new/extra app to bolt it down and have it behave
| just as I want (and does not disrupt me with notifications or
| leak data or kill my battery).
| NiceWayToDoIT wrote:
| test
| sloshnmosh wrote:
| test failed
| iamtedd wrote:
| All I see is hunter2.
| ce4 wrote:
| I trust the F-Droid store more due to its curated (FOSS-software-
| only/no-trackers) maintainer based model and default to them if
| there's an app that I need, especially simple stuff that tends to
| mostly be adware on the playstore
| FriedrichN wrote:
| On a side note, my bank is now forcing me to use their app
| which can only be downloaded from the Play Store (which I will
| never install). When I complained they told me it's because
| they think it's more secure than their current method which is
| a card reader, I tried to explain to them the average phone is
| teeming with malware, but they simply wouldn't believe me.
|
| I am currently looking for a new bank.
| hadrien01 wrote:
| You can use AuroraStore from F-Droid, it allows you to
| download apps from the Play Store without a Google account.
| simonmales wrote:
| Nice tip!
| Daniel_sk wrote:
| It will probably be not good enough, many banking apps
| are using Google Safety Net to detect rooted or not
| Google certified devices with Google Play installed
| indirectly. AFAIK it's now quite difficult to break. I
| sort of understand the bank decision on this. There is a
| lot of malware on Android and users are easily tricked
| into installing some side-loaded APKs, and there is also
| a lot of hidden malware on Google Play which is hard to
| find (e.g. it downloads a payload after the store review
| is done). This would be a disaster since on Android you
| can for example use accessibility services to read any
| input from the user and also control the device. So you
| can circumvent 2FA and make transactions on behalf of the
| user on the device. There has been a lot banking malware
| on Google Play. I think they are getting it a bit under
| control now, but it's still very dangerous.
| christophilus wrote:
| I wonder if it would be possible to have something like
| qubes or maybe like docker that could run a full-fledged,
| sandboxed Android instance for a single app, while
| running FOSS like a sane person as your primary
| ecosystem.
| ce4 wrote:
| Thats happening a lot, switching your bank wont help at least
| not for long. I guess "[x] force smartphone users to use the
| app" is part of some security checklist now.
|
| I got a workaround by switching to desktop mode, when that
| didnt work anymore by using Fennec (FF mobile fork with
| relaxed addon support) + useragent switcher
| sydd wrote:
| kinda similar for me. When I look for a small app like a QR
| code scanner or a flashlight I search for "QR code scanner open
| source" or "QR code scanner github" to easily find the open
| source ones that likely dont contain ads or malware
| kuon wrote:
| About QR code, isn't that the sort of thing that would be super
| more efficient to do in hardware at the camera chip level?
|
| This makes me think that it would be nice to be able too load
| "camera sensor scripts" in a similar way to GLSL for GPU, for
| filtering and analysis using hardware. (it might be possible, I
| am not an android developer)
| hnburnsy wrote:
| Blockada has a nice Hostlog view to show requests in real time.
| Have caught websites I thought I had blocked this way. Wish it
| would tell me which App made the request.
| Cactus2018 wrote:
| https://f-droid.org/packages/org.blokada.fem.fdroid/
| c_prompt wrote:
| > Listing the apps installed on my phone should give me the
| option to sort them by "Latest installed". I am pretty sure that
| if I had had this option and I had seen a QR Code Scanner
| installed just a few days ago, it would have immediately grabbed
| my attention. As it is, the way Android lists the installed apps
| is pretty useless for this purpose.
|
| I was able to find it pretty quickly by going to:
|
| Settings > Battery > Usage Details > Battery Usage Since Full
| Charge
|
| This showed me the most recent app used. As I hadn't used the QR
| scanner app in quite some time, it seemed a reasonable place to
| look first.
| aembleton wrote:
| That shows you the most recent app used, but he needed the most
| recent one installed.
| Garvey wrote:
| Play Store > My Apps and Games > Installed, and then change
| the sort order to "Last Updated".
| Maxburn wrote:
| I don't have a android device here to confirm but I suspect
| if it was just installed and never updated it won't show in
| that list.
| TooCreative wrote:
| Strange article I unlocked my phone and two
| accidental clicks led me to agree to a dialog that my
| brain immediately registered as suspicious
|
| What type of dialog can pop up on your Android screen after
| unlocking and install "malware"? What is "malware" here? It looks
| like they mean an app from the play store? The
| next day, I picked up my phone and when I launched
| Chrome, I immediately noticed it was displaying a spammy
| URL.
|
| How can one app alter the behavior of another?
| sloshnmosh wrote:
| What I believe the author is saying is that he received a push
| notification to chrome from the malicious app.
|
| Coincidentally, I just spent my Saturday evening pouring over
| malicious JavaScript hosted on Cloudfront that does extensive
| browser fingerprinting and if a match is made to an Android
| device a fake Captcha pops up in Chrome which actually enables
| push notifications and from there a full screen pop-up appears
| that vibrates the devices and claims the phone is infected with
| (N) viruses and the "repair now" button pulls up the Play Store
| app to install DFNDR antivirus/cleaner.
|
| If you look at the reviews of that app you'll see all the angry
| reviews of users having their browsers hijacked.
|
| The app itself is just an advertising server wrapped around
| Avast's detection engine and is funded by the Chinese Qihoo.
|
| It harvests users social media data and charges the users
| almost $10 a month after a 3 day trial period.
|
| Novice users are unable to delete the app if "advanced
| protection" is enabled because it becomes a device
| administrator and uses deceptive language to confuse the user
| trying to remove the app.
|
| If the app gets installed it will not let you clear the storage
| of the app from within settings even if you had never opened
| the app and before you agree to any terms and conditions.
|
| The fake virus warnings that lead to DFNDR have been going on
| every single day since 2013.
|
| I'm putting together a webpage that will include the JavaScript
| and other details as we speak.
|
| The Google Play Store is a dumpster fire full of scam apps and
| Scummy developers.
| TooCreative wrote:
| he received a push notification to chrome from the
| malicious app
|
| What does that mean? How does an app send a "push
| notification" to Chrome?
| derivagral wrote:
| Not GP, but my interpretation: app sent a general push
| notification which, when tapped, opened a malicious URL in
| Chrome as the next step of this "funnel".
| varenc wrote:
| > fake Captcha pops up in Chrome which actually enables push
| notifications
|
| Wow, this sounds like a classic clickjacking vulnerability.
| That's still possible on modern[ish] Android? Definitely
| interested in your write up.
| Daho0n wrote:
| No, it is not.
| Schlaefer wrote:
| > What type of dialog can pop up on your Android screen after
| unlocking and install "malware"? What is "malware" here? It
| looks like they mean an app from the play store?
|
| That would be the case if you enable sideloading, but that
| isn't mentioned in the article. Is it possible to install an
| app via popup without going through the store? This needs some
| clarification.
| jm_l wrote:
| They mention at the bottom of the article that they did
| enable side loading, that's how the app was installed.
| Schlaefer wrote:
| If that would be the case what is the point of the article?
| Of course Google Play Protect shouldn't interfere with an
| side-loaded app. One major reason for side-loading (after
| giving explicit consent and ignoring all the warnings
| associated) is to allow applications Google wouldn't
| approve.
| david_allison wrote:
| Google Play Protect also warned on unknown sideloaded
| apps (and requested an upload for a scan) when I tried it
| ~half a year ago. Documentation[0] implies this is still
| the case
|
| > It checks your device for potentially harmful apps from
| other sources. These harmful apps are sometimes called
| malware.
|
| > If you choose to install apps from unknown sources
| outside of the Google Play Store, turning on the "Improve
| harmful app detection" setting will allow Google Play
| Protect to send unknown apps to Google to protect you
| from harmful apps.
|
| [0] https://support.google.com/googleplay/answer/2812853?
| hl=en
| tjpnz wrote:
| Something similar happened to me a few years back after I
| accidentally tapped an ad in Chrome (an ad delivered by Google
| no less). While I didn't get infected the site did start
| displaying system like prompts (my phone was also vibrating at
| this point and playing the same sound I get when there's a
| natural disaster) saying my device was infected and that I
| should tap OK to download an apk.
|
| I did several things after this:
|
| - Reported the ad to Google (no followup from their side -
| naturally).
|
| - Removed Chrome.
|
| - Installed Firefox and uBlock Origin.
| aembleton wrote:
| How did you remove Chrome?
| literallycancer wrote:
| You can disable system apps so they don't show up even
| without root. If you have root you can also uninstall them.
| Just open a terminal, su and use pm uninstall to uninstall
| for your user or all users (you can reinstall the same way
| if you end up needing it later). No reason to use the
| provided Chrome when you can just use Bromite though.
| llarsson wrote:
| Can't an app ask for a website to be opened, and then that
| would cause the standard browser to display said website and
| URL?
|
| It does not sound to me like the Chrome app was infected, just
| told to open a page.
| UncleMeat wrote:
| Yes this is basic (and incredibly common) behavior. The
| alternative is often much worse (an embedded WebView in each
| app to do things like open TOS pages).
| ytch wrote:
| > How can one app alter the behavior of another?
|
| In Defcon 2, author finds a log with intent:
|
| {act=android.intent.action.VIEW
|
| Android will handle The URI with default app. The malware sends
| HTTP url, so it will be opened by default browser.
| asddubs wrote:
| Coincidentally, I was trying to download a qr code scanner app on
| my new phone the other day, and looking at the listing, trying to
| discern which ones were going to be overly greedy with
| permissions and ad spam lead me to immediately installing f-droid
| again. originally i hadn't planned to bother with it, but man the
| google play store is in really bad shape. and advertised apps are
| just a stupid concept that needs to die.
| m1gu3l wrote:
| a not so obvious protip: you usually don't even need a "qr reader
| app" modern phone camera apps will pop the link without having to
| install extra stuff.
| armada651 wrote:
| Sounds like it might be related to the reviews for this app?
|
| https://play.google.com/store/apps/details?id=com.google.zxi...
|
| A 2020 review talks about ads appearing after a recent "update",
| but the app hasn't pushed an update since 2018!
|
| I've always had this app installed and never experienced adware,
| perhaps those reviews are left by people falling victim to the
| copycat scam?
| riphdd2020 wrote:
| I had this app too, and I remember thinking it was weird
| because I think an official google developer blog (or something
| like that) mentioned the need to install it, as there was no
| built in QR code reader at the time. I can't remember which old
| phone I had it on though.
|
| I also think those reviews might be left by people who can't
| find the original offending app because it's been removed.
| https://www.apkshub.com/app/com.qrcodescanner.barcodescanner
| seems to show it had BILLING permission though, which is always
| an alarm bell.
| tallanvor wrote:
| The one you're looking at on apkshub is definitely a
| different app. The version number, last update, and
| permissions do not match what is in Play.
| riphdd2020 wrote:
| The one on apkshub is the one mentioned in the blog. Google
| has removed it from google play. https://play.google.com/st
| ore/apps/details?id=com.google.zxi... is a completely
| different, open source app, with unexplained bad reviews,
| probably nothing to do with the malware, and hasn't been
| removed by google.
| [deleted]
| timdaub wrote:
| FYI: I created a website that quickly scans QR codes so that you
| won't have to download or open any ads-filled QR code apps
| anymore:
|
| - https://scan.lol
|
| The code is open source too: https://github.com/TimDaub/scan.lol
| Mo3 wrote:
| Doesn't work for me, fyi. iPhone 11, white blank screen
| neotek wrote:
| You may know this already, but just in case: the iOS camera
| app has a QR reader built in, just point the camera at a
| valid code and it'll automatically display a tooltip
| containing the URL which will open in Safari if you tap it.
| opensmtpd wrote:
| There is also zxing.
|
| https://zxing.org/w/decode.jspx
| simonmales wrote:
| Ah, this is nice to have from the ZXing team.
| toper-centage wrote:
| I just use Firefox. There's a QR button on the URL bar
| EE84M3i wrote:
| > The code is open source too:
| https://github.com/TimDaub/scan.lol
|
| Am I missing something or does your repo only contain the
| minified version of the javascript, and not contain the
| `index.js` referenced in the `package.json` nor the method to
| build to minified artifacts? This seems like it's not open
| source.
| timdaub wrote:
| Hey,
|
| thanks for pointing that out. Rest assured, the site is 100%
| open source as I'm simply publishing the repo using GitHub
| Pages. There's no build step.
|
| Regarding package.json's main file: It's a mistake. I did not
| update it properly after I did `npm init`.
| EE84M3i wrote:
| Where does
| https://github.com/TimDaub/scan.lol/blob/master/qr-
| scanner-w... come from then?
| j1elo wrote:
| The lesson here is not "oh look the author is stupid because they
| installed a shitty QR scanner app and didn't notice the obvious
| mistake".
|
| The lesson should be; even very experienced technical people fall
| onto the malware trap. We all have day-to-day problems,
| unexpected stuff happening, in short _life_ doing its thing. We
| 'll inevitably end up being victims of a scam that happens just
| the worst possible day of them all, because _reasons_.
|
| Thus the problem is not _if_ we 'll also fall on the trap, but
| what tools we'll have at our disposal _when_ we do, and to what
| extent the Operating System will be there helping to protect us
| (and /or help us diagnose the issue...)
| drcongo wrote:
| My takeaway from this post is never use Android. Not that I
| ever would.
| alex_duf wrote:
| I've had the same issue as the author of the post.
|
| The barcode scanner wasn't any shitty app, it was the one that
| was recommended a long time ago by Google authenticator. I had
| left it installed on my phone and it must had had the dodgy
| update that got it banned from the app store.
| riphdd2020 wrote:
| > the one that was recommended a long time ago by Google
| authenticator
|
| That's where I remember it from, thanks! However I think
| there's some confusion here: the one the blog mentions is not
| https://play.google.com/store/apps/details?id=com.google.zxi.
| .. (github based, relatively trustworthy looking, recommended
| by Google Authenticator back in the day), it's the now
| removed qrcodescanner app: https://webcache.googleusercontent
| .com/search?q=cache:38t1gW...
|
| I think those bad reviews on https://play.google.com/store/ap
| ps/details?id=com.google.zxi... are because the malware
| probably used the zxing qr library, and there might be traces
| left in it, or these users are just confused (or the malware
| app deliberately pointed low star reviewers to the github
| competitor app in the play store). As others have stated,
| this github app with the bad reviews hasn't been updated for
| a long time.
|
| If the malware is also in https://github.com/zxing/zxing , I
| really hope they do a postmortem to explain how. The fact
| that https://play.google.com/store/apps/details?id=com.google
| .zxi... still exists though, while the app mentioned in the
| blog has been removed by google, makes me think the zxing app
| is clean.
| Rooster61 wrote:
| Hang on a second, something is fishy here. I had an issue
| that the mirrors what was happening on the zxing reviews. I
| was getting a full page ad every 15 minutes or so after
| unlocking my phone.
|
| The rub? It wasn't this app. It was another one that was
| also called barcode scanner. It was also beginning to
| garner negative reviews, which the developer (had a
| Ukranian email address) had begun responding to saying the
| app was perfectly legal because it was serving ads only
| inside the app itself.
|
| I'm wondering if that deluge of bad reviews is directed at
| the wrong app? I'll look to see if I can still find the
| google play page for the one I had.
|
| Also, I had that app for a LONG time before it started
| displaying this kind of behavior just last month, which
| also corresponds to the bad reviews starting on the zxing
| app.
| crossroadsguy wrote:
| As an iPhone user and an Android developer my lessons learnt,
| over the time, are:
|
| 1. Do not trust Google to vet the apps in the play store. They
| won't; they don't even try.
|
| 2. Those shiny Play Protect and whatnot postured around by
| Google are practically utter useless bs/bloat
|
| 3. Stick to famous, really famous apps from the Play Store - as
| in well known - e.g. Facebook, Netflix, Evernote etc (you will
| be tracked of course, you won't be hacked - you pay this price
| by using Googled Android anyway)
|
| 4. If you couldn't find a well known app on Play Store - head
| to https://www.f-droid.org
|
| 5. Do not, just do not download any other app on your phone
| (treat it as a no exception rule) unless you know what you are
| doing and possibly can look at the code - find something decent
| as an APK from GitHub et al.
|
| 6. Be very miserly when it comes to doling out permissions to
| apps. Your default should be "no".
|
| 7. Privacy (not really) and safety are just superficial polish
| by Google on Android OS - their core and only focus developing
| the OS is: making it as much of an ad platform as they can and
| on top of that how to get a bigger and bigger cut of the
| overall ad revenue with every release.
| ladyanita22 wrote:
| You speak like if you were any kind of authority.
|
| Nowadays anybody can be an Android developer, India is full
| of teenagers doing it.
| rxhernandez wrote:
| I was a teenager doing Android Development in 2010. What
| difference does age make in this discussion?
| ladyanita22 wrote:
| What I mean is that it's not a valid argument to
| establish the authority of the speaker.
| the_jeremy wrote:
| Why isn't it? Teenagers in India can have authority on a
| subject and more experience in certain areas than I do.
|
| I'm not taking their post completely on faith. It matches
| up with my previous experiences, including the article
| we're currently talking about and related articles I've
| read.
|
| Is there a specific issue you have with their point, or
| did you just want to point out that they're not special
| for making apps?
| maxmalysh wrote:
| http://www.paulgraham.com/disagree.html
| ladyanita22 wrote:
| TL;DR
| Qub3d wrote:
| The part of pg's comments that relates to your comments
| is this part:
|
| "Saying that an author lacks the authority to write about
| a topic is a variant of ad hominem--and a particularly
| useless sort, because good ideas often come from
| outsiders. The question is whether the author is correct
| or not. If his lack of authority caused him to make
| mistakes, point those out. And if it didn't, it's not a
| problem."
|
| But in general, Paul Graham isn't saying anything that is
| novel to this site's comment guidelines:
|
| Be kind. Don't be snarky. Have curious conversation;
| don't cross-examine. Please don't fulminate. Please don't
| sneer, including at the rest of the community.
|
| Comments should get more thoughtful and substantive, not
| less, as a topic gets more divisive.
|
| https://news.ycombinator.com/newsguidelines.html#comments
| swiley wrote:
| IMO: the lesson here is that restricting people to the OS
| vendor's software repository doesn't prevent malware. The only
| way to even help that is via community review (note that apple
| doesn't review internal behavior of the apps or instrument them
| in any way, they just have someone try using them behind a
| proxy) and enforcing public available source code like fdroid.
| FloayYerBoat wrote:
| "the lesson here is that restricting people to the OS
| vendor's software repository doesn't prevent malware"
|
| This was a side-loaded app on an unlocked phone. What am I
| missing?
| 3pt14159 wrote:
| I took away another lesson: One of the early developers of
| Android doesn't replace his phone even after being absolutely
| certain it had malware.
|
| That kinda blows my mind.
| r1ch wrote:
| Doing so would mean you don't trust the Android security
| model. No app can be granted permission to affect the OS or
| other apps unless the phone is rooted and you give it root.
| 3pt14159 wrote:
| I mean, I don't trust as a binary. I have continuums of
| trust from very little to very much. I know that people are
| capable of privilege escalation and persistence. I've seen
| it with my own eyes. I know it's unlikely that that
| specific piece of malware was able to get persistent root,
| but it could have and it also could have exfiltrated
| cryptographic keys or certificate or bearer tokens while it
| was on there. Better to just get a new phone if you're such
| an experienced software developer that you literally helped
| build Android.
| drewmol wrote:
| If you don't fear as a binary then threat assessment and
| mitigation cost may be a factor. Could be a closet ios
| user.
| Shivetya wrote:
| I do not use an Android phone, is there an easy means to
| restore one to factory condition? Is there a simple process
| to save and restore your phone to your PC/Mac similar to how
| Apple does it?
|
| (my father has an android phone and now I suddenly find
| myself curious about save/restore and how to find malware on
| his phone)
| goldcd wrote:
| Yes - it's very easy to do a factory reset on your phone.
|
| No - There is no 'easy' way to store/restore the entire
| phone as I believe Apple does. (I had a miserable day doing
| this, when my old Pixel started playing up and had to
| migrate across to a replacement) - and this was best case
| when I had the two phones next to each other.
|
| Core 'google' stuff seems fine - either all tied to your
| account (e.g. contacts) or google app data (texts, pictures
| etc) which can be backed up to cloud, or directly migrated
| between phones.
|
| What doesn't work is the logins/settings for all the random
| apps. Some do store on cloud. Some allow manual
| export/import of settings. Some you're going to have to
| setup again from scratch.
|
| Back in the day when I did root my phone, TWRP and similar
| things let you image/restore the whole phone.
| userbinator wrote:
| Older Mediatek platform phones let you read/write the
| entire internal flash (eMMC) directly, which is AFAIK the
| full extent of persistent writable storage.
|
| That is the _true_ "factory reset", as it's how they were
| first loaded with software in production. I believe the
| more widely-known and generic Android reset is merely
| restoring from an internal partition.
| gruez wrote:
| AFAIK since android uses read-only system partition,
| there's nothing to restore. It just wipes the data
| partition and that's it.
| goldcd wrote:
| Indeed.
|
| If you look at the storage requirements of an app, you
| can see it's split between "App Size" and "User Data"
| (along with a cache).
|
| AFAIK there's no way to actually backup/move the user
| data without rooting. Now I can see why Google might not
| want to store all that (and why I might not want them to)
| - but it's somewhat silly not to have any options.
| codethief wrote:
| > No - There is no 'easy' way to store/restore the entire
| phone as I believe Apple does.
|
| I think Android phones with the Google Services Framework
| installed do provide such a way. Alternatively, if you're
| using a custom ROM (like GrapheneOS on Pixel devices),
| you can use Seedvault[0] for full backups of your phone.
| It basically acts as a drop-in replacement of the backup
| service provided by Google.
|
| [0]: https://github.com/seedvault-app/seedvault
| abrookewood wrote:
| That's a pretty extreme and expensive option. I think I would
| have just gone for a factory reset.
| 3pt14159 wrote:
| At the very least, yes. But I read something from a former
| NSA hacker once and he mentioned he replaces his computer
| and phone every quarter, in addition to a bunch of other
| paranoid things.
|
| I'm not that extreme, but I did replace my computer once I
| got back from Kiev. I'd rather not worry about it.
| prox wrote:
| I had an attack that kept the Malware _after_ a factory
| reset, and I contacted Lenovo about it. They confirmed it
| was indeed still intact.
|
| We even did a low-level reset (a representative guided me
| through it) but to his own surprise the malware was still
| there.
|
| I was out of warranty and I had to pay a sum to get it
| fixed, which was more expensive than buying a new tablet.
| growt wrote:
| That would be reasonable if the phone owner was likely the
| victim of some targeted attack (beeing politician or
| something similar). But if it's just regular malware that was
| installed with a drive by download, I would trust the android
| security model that much.
| prox wrote:
| I wouldn't. Some malware can hide a lot deeper than a
| factory reset can erase.
| nodamage wrote:
| > _Google Play Protect was also completely unhelpful, which was a
| big disappointment._
|
| Google Play Protect performs notoriously poorly compared to
| dedicated malware apps:
|
| https://www.tomsguide.com/reviews/google-play-protect
| ocdtrekkie wrote:
| Yeah, looking at the AVTEST.org results, it has generally
| appeared Google would've been better off buying a no-name
| competitor's app rather than trusting their own engineers to
| implement security software: https://www.av-
| test.org/en/antivirus/mobile-devices/android/...
| Causality1 wrote:
| Can you explain how you managed to install malware while
| unlocking your bootloader? The only two methods for unlocking
| I've ever used are OEM applications like Odin for older phones
| and simple ADB commands for newer ones, neither of which put you
| at particular danger from malware.
| Daho0n wrote:
| He didn't. It was just an app that was updated and started
| showing ads. Not malware as it cannot access anything but still
| annoying.
| Causality1 wrote:
| Ah. The way he worded his introduction made it seem like "two
| mis-taps" during the unlock process installed adware on his
| device.
| londons_explore wrote:
| Note that there is no evidence the security model is broken here.
| The 'malware' didn't access any private data.
|
| It just popped up annoying ads, which it doesn't need special
| permissions to do.
| nsomaru wrote:
| > It just popped up annoying ads, which it doesn't need special
| permissions to do.
|
| Maybe that's the problem?
| londons_explore wrote:
| Yes, but trusted UI is needed to require permissions for
| things like that (ie. so that every pixel on the screen of
| the phone the user can be aware which app and security
| 'container' it came from).
|
| That is pretty hard to achieve, and no mobile or desktop
| platform really has it.
| marcodiego wrote:
| Play store should allow to filter by license and anti-features.
| That would make it as usable as f-droid.
|
| As an example: try to find a non-ad-infested flashlight app on
| play store, then try to find a single ad-infested flashlight app
| on f-droid.
| filipo wrote:
| As sad as the incident is: I am glad he is still committed to
| Android after being a team member and therefore equipped with a
| deep understanding about the platform and architecture itself.
| kwdc wrote:
| "Google Play Protect was also completely unhelpful, which was a
| big disappointment. First because Google certainly knows which
| applications they removed from their store for malware reasons,
| but even so, I would expect Google Play Protect to at least flag
| any app it finds on my phone that is not on their store. Such an
| app is not necessarily malware, but it should certainly be
| flagged.
|
| Google Play Protect could also do some behavior profiling to
| analyze what apps are doing in the background. A service
| launching recurring VIEW intents on web sites in the background
| should have raised a flag to the system."
|
| Sounds good.
|
| I sense that there so many teams involved such a feature is not
| on their radar. So "they already know they blocked it" and "the
| existing installed app should be blocked" imply that two teams
| know what the others are doing.
|
| I'm guessing that the team that does the removal from the store
| has no communications path to those who would add a flagging
| mechanism for already installed apps.
| thatguy0900 wrote:
| " I would expect Google Play Protect to at least flag any app
| it finds on my phone that is not on their store. Such an app is
| not necessarily malware, but it should certainly be flagged."
| seems like Google is between a rock and a hard place here, they
| already catch so much heat over their treatment of third party
| app stores there would certainly be a lot of outrage over this
| if they started doing it
| Maxburn wrote:
| Very true, but instead of reaching in and removing your app
| giving a message saying "we pulled this app from the store
| for such and such reasons, maybe you want to review it" would
| be pretty nice.
| jm_l wrote:
| I believe that actually does happen if you installed
| through Google Play Store, but in this case the app was
| sideloaded onto the device.
| asiando wrote:
| What surprised here is that Android doesn't have a native QR
| scanner. I've always assumed that iOS was late to the game and
| that Google Search/Lens handled QRs since 1999. Is that not the
| case (anymore)?
| rjmunro wrote:
| The issue is that some malware installed itself with the name
| QR scanner, not that Android does or doesn't have a QR scanner.
| Most Android camera apps (each phone comes with its own) will
| recognise QR codes fine, although the UI is sometimes annoying.
| technion wrote:
| My Huawei phone actually does come with a QR scanner. You just
| have to open the built in camera app, then click this icon[0].
| It defaults to the translator camera, which I find really that
| you can just point at text and it translates it on your screen.
| Then there's a picture of a square with a line down the center
| that turns on the QR scanner.
|
| As you can imagine, when all the covid checkins started, I
| couldn't find this. Everyone would say to me "just open the
| camera on your iPhone it's easy" as though it was a given that
| every visitor was using an Apple phone.
|
| I went through three different QR apps based on what I found on
| the play store and all of them blasted me with inappropriate
| ads I kept wishing I didn't open in public. A bit if visibility
| in the UX would have solved this.
|
| [0] https://ibb.co/L5XG21G
| morsch wrote:
| The versions of Android that vendors ship usually have a QR
| scanner. For example, Samsung's camera app reacts to them by
| default. I don't think AOSP has a QR reader, but Lineage OS
| ships a camera that reads them.
| peteri wrote:
| It's in the Google Lens app on my Pixel 5.
| morsch wrote:
| I'll add that even though most phones have some sort of
| built-in reader, there are many reasons a developer would
| want to use a standalone reader. The Samsung reader launches
| URLs (99% of QR codes I encounter), and it understands Text
| and VCARD as well, but I don't know that it understands all
| kinds of arbitrary or custom QR codes you might want to
| define.
| throwawaysea wrote:
| Scary. Is there such a thing as a malware scanner on Android? Are
| they effective or worthwhile at all? Why isn't Apple susceptible
| to this type of malware, seemingly?
| Daho0n wrote:
| A malware scanner won't find an app that you gave permission to
| show on-top on other apps and use this to show ads. It is not
| doing anything it isn't allowed to do.
| anonnyj wrote:
| I really wish there was more granularity to the permissions. For
| the vast majority of apps, I don't want them to be able to use
| the internet. Seems pretty basic (other than the fact that is
| threatens the whole Ad ecosystem...)
|
| Would be cool too if there was a shared file space for apps...
| And apps had to stay within that pen. Giving them access to all
| your phone's files is just wreckless. But I don't have the
| choice.
| MrPatan wrote:
| Every native app can be hacked, or sold, to a malicious actor
| that will then make your phone theirs.
|
| Reduce the attack surface as much as you can!
| [deleted]
| bzb6 wrote:
| It's a joke that this happened. And even worse that he considered
| installing "malwarebytes", one of those things that smell of
| windows 98 shareware, to fix it. This is why I buy iPhone.
| Daho0n wrote:
| If you install an app on iPhone that is allowed to make pop-ups
| and it shows ads in those pop-ups you get the same situation as
| here. This wasn't malware as it couldn't access anything except
| itself.
| bzb6 wrote:
| The article says the app kept opening new browser tabs on
| chrome while the app itself was not on the foreground. That's
| impossible on iPhones
| pw6hv wrote:
| A QR code reader was the problem then... I am an Android user
| since the dawn of time and I was so surprised when my wife showed
| me that on her iPhone the QR code reader is embedded in her
| camera app... I wonder why it is not the same in any version of
| Android that I have used (now I am on Android One).
|
| This plus the native support for CardDav and CalDav are pushing
| me to try iOS next time I have to change my phone.
| nunodonato wrote:
| I use the Microsoft launcher and a qr code scanner is part of
| it
| romanows wrote:
| On my Pixel 4a: Camera / Modes / Lens. That will open Google
| Lens which should scan QR codes.
| chaos_a wrote:
| You can do the same on any android phone by opening the
| google app and tap the lens icon in the search bar.
| muro wrote:
| It does - just checked.
| oefrha wrote:
| > on her iPhone the QR code reader is embedded in her camera
| app... I wonder why it is not the same in any version of
| Android that I have used
|
| Apple added a builtin QR code scanner to the camera app in iOS
| 11 due to the ridiculously widespread use of QR codes in
| China.[1] I guess (Google's version of) Android doesn't have
| that because Google doesn't derive much value from that market,
| and QR codes don't have as much mindshare in other major
| markets.
|
| [1] They specifically called out the Chinese market when
| introducing the feature in WWDC 2017 keynote:
|
| > Of course, there's much more than we have time to talk about
| today, but I want to highlight some features of special
| interest to our customers in China, like QR codes that are
| integrated right into the main camera, accessible from the lock
| screen, super use Yes, super useful for customers in China.
|
| https://asciiwwdc.com/2017/sessions/101
| Daho0n wrote:
| Android has had a buil-in QR scanner for years. Looking in
| this thread at least OnePlus, Pixel, Motorola and Samsung has
| it in the default app. As far as I know it is part of
| android.
| srg0 wrote:
| Huawei has QR scanner built-in in the gallery app
| https://consumer.huawei.com/en/support/content/en-
| us00326153...
|
| I believe that its built-in app also has a QR scanner in
| HiVision package, but it requires to accept a scary privacy
| agreement.
|
| Firefox for Android embeds a QR scanner in its address bar:
| https://support.mozilla.org/en-US/kb/scan-qr-codes-
| firefox-a...
| johnchristopher wrote:
| Firefox android has a QR code reader. I also recently noticed
| that the Google App (Discover ?) has a QR code reader and I
| think the Google assistant too.
|
| But these are all behind app, not readily accessible.
| cdr3 wrote:
| Firefox for Android comes with an integrated QR code reader.
| Works great. No add on needed.
| Apanatshka wrote:
| My Firefox on Android has a QR code scanner, I typically use
| that even when I know it's not a website. When you open a new
| tab and select the address bar you get to see the button for
| the QR code scanner.
| [deleted]
| pwg wrote:
| On my Moto E4 (Android 7.1.1) the default Android camera app
| also reads QR codes. But nothing in the app. nor app. help
| actually tells anyone that it will do this. The only way one
| discovers it is by pointing the camera at a QR code to see what
| happens, and realizing that the app just decoded the QR code it
| was viewing.
| neya wrote:
| On my Samsung it's the same as well. The default camera app
| scans any QR code, even does document scanning on the fly which
| I find super useful.
| roel_v wrote:
| Yes, on my Samsung the camera app is great, and it gets
| better all the time. I know people like to crap on Samsung
| but they do some great things in some regards.
| barnabee wrote:
| Aside: on iOS the default camera app doesn't do document
| scanning but the Files app does (it's an option under the
| menu on the browse tab).
|
| Took me ages to discover that, still not sure how long it's
| been there.
| lethologica wrote:
| The notes app also does document scanning in iOS and I've
| found it very very useful.
| wwn_se wrote:
| Samsung phones have qr reading in the camera app since a few
| years at least. Google also has Lens but that does not work
| offline (?)
| qu-everything wrote:
| I just tried with my Samsung s9+ and the camera app picked up
| the qr code, don't know what you are saying
| Tokelin wrote:
| That's specific to the default Samsung Camera app.
| Daho0n wrote:
| It is in moto, pixel, oneplus, xiaomi, huwaei too. Likely
| default to Android 9+
| goldcd wrote:
| It is on my pixel (so worth a try on whatever's shipping with
| Android One).
|
| I thought it was a bit 'hit or miss' at first - if you hold the
| camera over the code, after a bit it decides to pop up a link
| over the QR in preview. Then realized if you tap on the code,
| it instantly displays the link. Just had a fun few minutes on
| https://www.google.com/search?q=qr+codes&tbm=isch - as the tap
| allows it to handle multiple ones within the same frame.
| perryizgr8 wrote:
| > I wonder why it is not the same in any version of Android
| that I have used
|
| I've had this on Samsung phones for a long time.
| oakwhiz wrote:
| I was going to recommend the open source "Barcode Scanner" app
| also known as "zxing" on GitHub. However when looking at the
| app's page, I noticed that someone seems to be engaging in some
| kind of review-bombing with that app. There are tons of reviews
| claiming that it was recently updated and has highly intrusive
| full page popup ads. But looking at the version info, the app
| hasn't seen an update for over 2 years and the repository is in
| maintenance mode, and I nor anybody else that I know has seen a
| single ad when using it.
|
| I wonder if this is a concerted effort to steer impressionable
| people away from a "real" FOSS QR code reader app and direct
| them to a malicious one instead, using scare tactics.
| rozab wrote:
| If you say "OK Google, scan a QR code", it opens up Google
| Lens which does the job but only seems to be accessible
| through voice on my device
| jimmySixDOF wrote:
| I also use Lense for QR and like any typical app just
| installed through Play and launch normally.
|
| Voice Assist is yet another privacy invasion vector imho,
| there are too many anecdotal first hand accounts of someone
| talking about fishing and suddenly getting banner adds for
| boat trips everywhere.
| chopin24 wrote:
| You don't think it's more likely that a person who talked
| about fishing also searched for fishing gear using
| Google? Or "Likes" fishing on Facebook? Or follows a
| fishing person on Twitter?
|
| The technology and storage that would be required to
| parse non-device-directed speech doesn't exist and
| wouldn't be profitable since there are so many other
| reliable signals that are much cheaper.
| pja wrote:
| On my Android phone if you open the camera App there's a
| Google Lens icon at top left next to the menu hamburger
| icon.
| scatters wrote:
| You can access it without voice, by opening Assistant
| (long-press Home, double-press Power, etc.) and then typing
| "Lens" into the search box.
|
| Ridiculously, there's no way that I can see to get an app
| shortcut icon to it.
| abraham wrote:
| The is a Lens app you can install to get an icon. https:/
| /play.google.com/store/apps/details?id=com.google.ar....
|
| Note: I work at Google but not on Android/Lens
| scatters wrote:
| OK, I've done that. It's pretty crazy that the app takes
| up 40MB just to add an icon to my apps menu.
| matsemann wrote:
| It wasn't a QR code reader that was the problem, it was a
| malware posing as a QR code reader. It didn't sound like the
| author downloaded a QR code reader and happened to get malware.
| He got malware from some source which installed itself that
| way.
|
| I had a QR reader in my camera app on some old Androids, around
| 2011 or so, but maybe it was because I then often was running
| custom ROMs? Or because back then QR codes were hyped and used
| for everything? Anyways, in 2019 or so it was included again in
| the native camera app on all Samsungs.
|
| While I get the allure of "it just works", having a niche
| feature that's basically never used and easily installed anyway
| seems like a weird hill to die on.
| rbg246 wrote:
| I recently discovered Firefox on Android has one if you focus
| on the address bar there is an option to scan, you just need to
| give Firefox permission to access the your camera
| gfxgirl wrote:
| That's disappointing. Chrome on iOS also has a QR code scanner.
| Surprising that Chrome on Android does not
|
| https://support.google.com/chrome/thread/7862896?hl=en
| izacus wrote:
| Pretty much most of Android phones have QR code reader embedded
| in the camera app as well.
| jedimastert wrote:
| There is native support now with Lens, although I agree it's
| kinda nutty that it took so long.
| Sander_Marechal wrote:
| I have a Pixel 2. It scans QR codes with the default camera app
| just fine. When it detects a QR code you get a little popup you
| can click. It even works with regular 1D barcodes.
| dariosalvi78 wrote:
| same here with One plus
| ciceryadam wrote:
| Same here with a semi-recent Motorola One Zoom
| MrDresden wrote:
| Long time Pixel user here (and an Android dev for that
| matter) and I had no idea the camera had qr support!
| mackrevinack wrote:
| just go into the camera settings and turn on lens
| suggestions
| Daniel_sk wrote:
| If you are fine with sending the camera stream to Google
| for analysis...
| Daho0n wrote:
| If not you wouldn't use a Pixel.
| tjoff wrote:
| Hardly a fact. As a privacy minded person I hold the
| Nexus/Pixel devices quite high in regard in the android
| ecosystem.
|
| Better to be screwed by google, than to be screwed by
| both google and samsung/whatever.
| MrDresden wrote:
| Well actually I just tried this with the normal camera
| and it worked fine without activating lens (or having
| given it any permissions).
| po1nter wrote:
| Same here with my Samsung Galaxy S8+. There's a QR code
| scanner in the camera app.
| pbhjpbhj wrote:
| I have an Honor5C on Android 7 (with EMUI5) and there's a QR
| code reader built in, but I only found it by accident.
|
| After taking a picture of a QR code, view the image, tap
| 'more', wait 10s, if the image is good enough (and it really
| needs perfect focus and placement, it's very pinickety) then it
| will show "read QR code", if you choose that option it will
| then take you to a URL/text preview, and then you can open your
| browser to that URL, etc..
|
| Worst discoverability ever!
| TheChaplain wrote:
| For CalDav/CardDav there's DAVx5. It's on Play if you want to
| support the developer, or F-Droid if you don't.
|
| There is also ICSx5 from the same developer, works against
| outlook.com.
|
| I paid for both, they work great.
| samoa42 wrote:
| so there are a ton of different apps for which you can pay to
| get a feature that ios has builtin. great
| ChuckNorris89 wrote:
| You mean just like how on iOS you need to pay for apps to
| give you (almost) the same functionality and customization
| as on Android?
| forty wrote:
| Note that the apps they mentioned are available for free
| samoa42 wrote:
| noted, hence i wrote 'can pay' and not 'must pay'.
| teekert wrote:
| Meh that goes 2 ways. Try getting good WebDAV or third
| party backup solutions in the Mac ecosystem. You win some,
| you loose some.
| dotancohen wrote:
| I'll vouch for DAVx5. Terrific app, I've been using it for
| years through the name change. I use it to sync contacts and
| calendar with NextCloud.
| teekert wrote:
| Firefox mobile also has one embedded.
| OJFord wrote:
| The camera app is actually not one thing, even on Android One,
| it depends on hardware support. The Pixel one doesn't work on
| my Nokia for example.
|
| My last few Android phones have had QR reading built in to the
| camera though, just not current Nokia. It might even be my
| biggest annoyance with it...
| Daho0n wrote:
| So does Android (at least OnePlus and Pixel) in the default
| Camera app.
| cam_l wrote:
| After going through dozens of QR code scanners trying to find
| one that is open source and trustworthy enough looking to
| install, i realised there is just one right there in Firefox.
| Daho0n wrote:
| And in the default camera app.
| cam_l wrote:
| Sure, but only if you also have the Google app and Google
| lens.
| lathiat wrote:
| I read somewhere the native camera app also does but many
| including Samsung have their own app instead. Cannot vouch for
| that.
|
| On the flip side there are QR apps in the top 100 App Store
| apps because the built-in support in camera is not really
| obvious unless someone tells you.
| mackrevinack wrote:
| i had an s10e recently and the camera app would scan them if
| they were in view and show a popup message.
| andrepd wrote:
| Simply get something from fdroid.
| prof18 wrote:
| QR Reader are load of everything. I went mad to find one a
| decent one for my parents' android phone and apparently it
| doesn't exists. So in a weekend I've created one without any
| kind of tracking, ads, permission, whatever. Here it is if you
| guys need one ->
| https://play.google.com/store/apps/details?id=com.prof18.sec...
| thatguy0900 wrote:
| Google makes one themselves, Google lens. It's quite a bit
| more than just a qr code reader, though, kind of a generic
| computer vision app https://lens.google.com/
| georgyo wrote:
| I've been using this one since the Android 1.0: https://play.
| google.com/store/apps/details?id=com.google.zxi...
|
| What's interesting, is that despite the app not being updated
| since 2018, open source, and containing no ads or tracking
| the reviews are saying it recently became adware.
|
| Searching for barcode scanner in the app store brings you to
| a horrible sea of ad supported crap ware, and it seems like
| that crap ware wants to ensure you don't download something
| that might be decent.
| tallanvor wrote:
| Either it's a campaign to try and lower the ratings or a
| bunch of people have managed to get separately installed
| malware and thought this was the cause.
|
| The last update I see available is what I have installed -
| 4.7.8 from September 2018. Definitely no strange behavior
| from it.
| bipson wrote:
| Hm, it says updated February 2019?
|
| But I also use this app for QR-codes, since I was never
| able to find an alternative. The vast permissions required
| make me nervous every time I install it... Good to know it
| is on F-Droid as well, built from a source tarball, so
| should be OK [1]?
|
| [1] https://f-droid.org/en/packages/com.google.zxing.client
| .andr...
| georgyo wrote:
| Interesting, in the Android play store it says Sept 2018.
| But I opened it on a browser and I see Feb 2019.
|
| However all the negative comments about ads are from
| after November 2020. Clearly a smear campaign.
| Cyykratahk wrote:
| Yeah, something's fishy.
|
| I scraped the latest 1000 reviews (coincidentally almost
| exactly 12 months worth).
|
| The "adware" reviews are all very recent with large amounts
| of votes.
|
| They seem to start on December 18, with 162 1-star reviews
| in the following 25 days -- more than all the 1-star
| reviews in the 6 months prior.
|
| I wouldn't be surprised if these reviews are not only
| automated spam, but are constantly being deleted and
| reposted to keep them "fresh", and at the top of the
| "relevant reviews".
|
| Charts: https://imgur.com/a/QUyHcHu
|
| CSV of review data: https://pastebin.com/ZanYgd5Y
| johnx123-up wrote:
| Curious: How did you do that? (scrape + chart)
| splonk wrote:
| The malware app was also called "barcode scanner",
| published by "the space team", so it wouldn't surprise me
| if a lot of people just found the more popular zxing app
| on the store and left reviews in the wrong place. I had
| the malware version installed and went through the same
| process Cedric did to find out that an update they pushed
| around that time turned on the bad behavior.
| dbrgn wrote:
| Just wondering: Since you're using zxing library, why not go
| for the zxing barcode scanner directly? https://play.google.c
| om/store/apps/details?id=com.google.zxi...
|
| Another option would be to use Google's MLKit. I think
| they've added support for scanning QR codes in there. It
| requires Google Play Services though, which is not ideal.
| msravi wrote:
| The reviews on that app don't look encouraging:
|
| > No issues initially but now it will give full screen ads
| often that either force open your browser to a shady
| site...
|
| > ...thought I should update it. That's when I started
| getting full page ads and browser redirects. I don't know
| who hijacked this app...
|
| > Avoid!! Used to be great. Now opens adware, and pops it
| over the lockscreen. Goes to great lengths to cover its
| tracks, calling the process "partners" and removing itself
| from recent applications. I had to use "popup ad detector"
| to find it. Appalling behaviour. Very underhanded.
|
| The zxing library is open source and different from the
| app. So looks like something fishy happened to the app
| recently. From the description of problems, this might even
| be the app referred to in the article.
| lmz wrote:
| It was last updated 2019 according to the footer. Maybe
| the bad reviews are paid for by the devs of the other QR
| apps?
| dlazar wrote:
| I've been very happy with Binary Eye: https://f-droid.org/en/
| packages/de.markusfisch.android.binar...
| swiley wrote:
| What happened to the zebra crossing demo app? That's what I
| always used when I had android.
| notretarded wrote:
| Update it to include ads once you have the majority market
| share and cash out
| slezyr wrote:
| Or anything from FDroid. I use Barcode Scanner (https://f-dro
| id.org/en/packages/com.google.zxing.client.andr...) as it
| scans even damaged codes.
| simonmales wrote:
| I believe 'Barcode Scanner' was potentially one of the
| first barcode scanners on Android. Been using it since
| Android 1.x on the ADP1.
|
| Don't forget it is on the Google Play store too. https://pl
| ay.google.com/store/apps/details?id=com.google.zxi...
|
| There was a time when QR Code scanning was better in
| Android than iOS (native in iOS 11.x).
|
| The "Google" way of scanning QR Codes is Google Lens, but
| it doesn't work offline :|
| tusharpandey13 wrote:
| Beware, the play store version shows full screen ads,
| auto redirects and needs contacts permissions.
| simonmales wrote:
| Ah, looks like mine installation is actually from FDroid,
| and never realised.
| rjmunro wrote:
| I've installed from Google Play, and never seen any ads.
| It has contacts permission, but that's because sharing
| contacts with a QR code is something I use it for
| frequently (it can generate codes as well as scan them).
| riphdd2020 wrote:
| Is there any proof for this, apart from those bad
| reviews? The blog mentions another (now removed app) with
| the package name com.qrcodescanner.barcodescanner, not
| the open source one at https://play.google.com/store/apps
| /details?id=com.google.zxi...
|
| I believe these bad reviews might be a result of the
| malware app pushing bad reviews to the zxing app page on
| google play, using an in app 'rate this app?' -> low
| rating -> send to the zxing app in Google Play (instead
| of the malware app in google play).
| Rooster61 wrote:
| As noted above, I believe this to be the case. I had the
| other app and started receiving full page ads for it.
| Totally different developer, but same app name. I am no
| longer able to find that app in the play store.
| djeiasbsbo wrote:
| Same here. Generally when looking for good quality Android
| apps, F-Droid should come first. I think about 95% of the
| apps I use on my phone are covered with F-Droid. Only
| banking apps and public transit apps are from the Play
| Store.
| climb_stealth wrote:
| I feel like this is a good example of how difficult it is
| to find a good barcode scanner. It mentions permissions for
| contacts and full network access. I would have thought that
| those two permissions should not be necessary for a barcode
| scanner and point toward something dodgy going on.
| ignitionmonkey wrote:
| It's actually not that difficult. F-Droid has a few
| offline scanners. It depends of course on how much of
| your experience you want automated. Though it would be
| nice if Android let you control the more granular
| permissions like network access.
|
| https://f-droid.org/en/packages/com.secuso.privacyFriendl
| yCo...
|
| https://f-droid.org/en/packages/de.t_dankworth.secscanqr/
| rarefied_tomato wrote:
| Error correction is inherent in processing the QR code
| itself. That is, QR codes are generated with varying levels
| of redundancy, and any reader must be able to interpret the
| Reed-Solomon code.
| JeremyNT wrote:
| > _Or anything from FDroid._
|
| This is the best heuristic to apply not just for QR code
| scanning, but for pretty much everything. To avoid malware,
| avoid the Play Store.
|
| When using f-droid, also check out the project web site and
| git repo (at least in a cursory way, even if you can't
| fully audit the code, you can get a sense of who the
| developer is and the project's overall health from the
| commit log and issue tracker).
| benboozled wrote:
| I'm largely in the dark when it comes to Android
| security. What makes F-Droid so much safer?
| SAI_Peregrinus wrote:
| It's not truly safer. It's just smaller, and only has
| open-source apps. So it's harder to hide malware, but
| still certainly possible (nobody checks most apps).
| marcodiego wrote:
| It seems much safer. F-droid apps are finely curated
| open-source apps and anti-features are marked and easily
| avoidable.
| SAI_Peregrinus wrote:
| The issue is the "finely curated" statement. It's not a
| full code review, just "Wherever possible, applications
| in the repository are built from source, and that source
| code is checked for potential security or privacy issues.
| This checking is far from exhaustive though, and there
| are no guarantees."[1] After an app is added to F-Droid
| it gets built from source by the F-Droid build servers,
| but it _does not generally get re-reviewed_. It 's
| perfectly possible to add the malware after the initial
| release. It's also possible (even easy) for malware to be
| missed by the limited code review. F-Droid is a little
| safer, but that doesn't mean it's particularly safe. It's
| no harder to get malware on F-droid than it is to get it
| into Arch or Debian or any other distro repository.
|
| [1] https://f-droid.org/en/about/
| marcodiego wrote:
| F-droid only accepts open-source apps. Apps with anti-
| features are also marked as such.
|
| Play store should be only used for things that you can't
| work around with apps from f-droid.
| emerongi wrote:
| I went mad trying to find a decent voice recorder for my mom.
| Eventually settled on some ad-littered app, but at least it
| didn't request any extraneous permissions. Every other app
| asked for every single permission under the sun... to record
| voice.
|
| The one thing I've noticed about the iOS store is that apps
| are more up-front. Many have a price tag attached to them,
| which I prefer. Android apps are all about giving you
| something for free and then in the back doing god knows what
| to make pennies off of you.
|
| The whole ads-in-apps situation is from some sci-fi novel.
| Let's make screens bigger, so we can fill more of it with
| ads.
| StavrosK wrote:
| This looks great, can you add it to F-Droid? I tend to trust
| stuff that's on F-Droid more, even if I do end up installing
| them from the Play Store.
| msravi wrote:
| Thanks very much! Just installed and does a great job!
| deadbunny wrote:
| Thanks for this.
| FullMetalBitch wrote:
| it's great sinve you have de ability but I setup all my
| family phones with f. droid and some good apps there
| including qr readers
| shscs911 wrote:
| I use the built-in QR-code scanner available in Opera Mini
| beta. Also, its the only browser I know that has a built-in
| RSS Feed reader. I use an old APK, as the newer version of
| Opera Mini removed the RSS functionality.
| chupchap wrote:
| Take photo of the qr code with any camera and open the image in
| Google photos. Google lens will detect qr code and do the rest
| underlines wrote:
| Xiaomi's Android distro MIUI has QR code scanning in the Camera
| app by default. Most asian target markets do that, because QR
| codes are more common here.
| aembleton wrote:
| MIUI also allows you to sort apps by installation time
| underlines wrote:
| Xiaomi's MIUI has QR code reader as a default feature in the
| camera app, and as a short link on the desktop
| saagarjha wrote:
| This is basically the problem I have with Windows (well, had,
| maybe it's gotten better): a bunch of basic tools are third-
| party utilities. Microsoft will even point you to them?! On
| macOS either the basic things are build in or easy to find from
| a website that isn't trying to push a new toolbar at you. On
| Linux you just use your package manager to install whatever it
| is...
| toyg wrote:
| I don't think you really need any 3rd party utility on
| Windows anymore, for the basic tasks. Any hrowser has PDF
| viewing, .zip support is already there (since Win2000), it
| has basic image manipulation and text editing, screenshot
| editor, and i think even desktop-recording. Sure, none of
| these things is a "best in class" app, but that's normal (and
| leaves market space for developers). Anything beyond that is
| not "basic" and I wouldn't expect it on MacOS either.
| V-2 wrote:
| Same with eg. multi-entry clipboard (although I still use a
| third party utility app for that out of habit).
| j1elo wrote:
| +1 to the answers here. Mine offers QR reading as another
| selectable mode, in addition to the "Still photo" and "Movie"
| modes. My previous phone had it integrated in the "Still photo"
| mode: it would simply detect and read QR codes automatically
| when pointing the camera towards one.
|
| But, the phone I had _before_ those two, had a Camera app which
| didn 't read QR codes. So maybe it's a matter of expectations
| now: old Camera apps were just for Camera, while modern ones
| are now generally expected to be able to read QR codes? (I
| would, anyway)
| robertlagrant wrote:
| If Google removed it from the Play store, why don't they have a
| way to tell people that an app they have installed has been
| detected as malware and prompt them to remove it?
___________________________________________________________________
(page generated 2021-01-11 22:03 UTC)