[TomOwens]

Most of the comments on that app as well as here are probably wrong. I'd suspect that everyone who had the app "installed without their permission" opted into the Android COVID-19 Exposure Notification program. This was deployed by Google as part of an update to Google Play Services.

When you go to your phone's settings with this update, there's an option to enable COVID-19 Exposure Notifications. When you turn it on, it prompts you for your location and will download your region's app that uses your phone's new capabilities to connect to the appropriate health authorities.

Massachusetts just opted into this program in the last couple of weeks. I'm honestly not sure why they did it so late - this would have been helpful earlier. Apple iPhones also have this capability, including interoperability with Android phones, and iPhone users in Massachusetts are also able to turn on this setting.

Now, if someone can actually prove that they didn't opt into the COVID-19 Exposure Notifications, then I'd be concerned. But my guess is they opted in when it came out, but there was no app for their region, so nothing was downloaded and the feature did nothing. Then, Massachusetts rolled out the app now and lots of people who configured their phones earlier in the pandemic got a new app. They granted permission for it, perhaps months ago.

[shados]

I don't know what kind of proof you want, but I just looked at my phone settings after reading your comment. The exposure notification option is there and it's off. The region selection is grayed out because of it. Yet I got the app (uninstalled it after I saw this on hacker news).

I did get a notification when it got installed but I thought it was just a push similar to amber alerts. I didn't realize it installed something at the time.

Still, exposure notification was never turned on.

[nverno]

I'm in Boston and it wasn't installed on my phone (exposure notifications have always been off AFAIK). I'm on old iphone 5s, not sure if that makes a difference or maybe just specific areas? According to this, https://thesomervillenewsweekly.blog/2021/04/05/massnotify-a..., different cities were piloting at different times, although it all seems opt in.

[shados]

The submission is specifically about a google play app being auto pushed, so being on an iphone would certainly protect you from it :)

[jghn]

Also Boston area. I got a notification on my iPhone that I could turn it on

[notacoward]

Same here. Never opted in, just checked and that hasn't changed. I hadn't even selected a region, so it shouldn't even know which invasive app to install, but I still got it.

[ollien]

Ditto. 10 minutes before I saw this post I declined the opt-in notification for exposure notifications, yet I still had the app.

[015UUZn8aEvW]

I'm a MA resident and this app was on my (Android) phone...until a few minutes ago when I read about it on Hacker News, found it, and deleted it.

I have no memory of ever opting into the program you describe, and it isn't the type of thing I would normally do. It's possible I guess.

In any case, the way they did this is creepy. There was no icon for the app; I had to look in Settings/Apps & Notifications to find it. And neither the official state press releases nor the few local news stories about it mention that the app was installed without notice. They use vague, lawyerly language about how it can be "enabled".

[maram]

> In any case, the way they did this is creepy. There was no icon for the app; I had to look in Settings/Apps & Notifications to find it. And neither the official state press releases nor the few local news stories about it mention that the app was installed without notice. They use vague, lawyerly language about how it can be "enabled".

This incident and your comment reminded me of a story Bezos mentioned in his interview about the time Amazon deleted 1984 from kindle. The analogy he made makes me wonder how can we compare what happened here to what Amazon did..

“Without any notice or warning just electronically go into everybody’s Kindle, who had downloaded the book and just disappear it…so it would be as if we walked into your bedroom in the middle of the night, found your bookshelf, and just took that book away”

19:48 https://youtu.be/SCpgKvZB_VQ

[arpstick]

MA resident as well, what worries me more is that someone thought that this method of installation was a good idea and even more worrying is that they were also able to execute on it. It feels rather shady and nefarious the lack of public announcement on it. Shenanigans like this how you get the populace to trust the local government less, which is the last thing this country needs.

[dvfjsdhgfv]

It's actually great it's happened. It showed everybody that the government can install whatever they want on your phone without your consent and knowledge. In this case they decided to leave you the option to uninstall but in the future they might not and spy on you at will. Another reminder you are not the owner of your device.

[tunap]

-In this case they decided to leave you the option to uninstall but in the future they might not and spy on you at will.

Then they'll be just like Google, Fecebook, Amazon, etc, etc.

[dvfjsdhgfv]

Which leads to the question: if anyone powerful or wealthy enough can take total control of your phone, how comfortable do you feel with that?

There are two routes here. One way is to deal with it the European way, i.e. to try to fix it by a legal framework. The other one is a technical solution like Purism, which is very far from mainstream still. The sooner people realize they have a problem, the sooner they start organizing to find a solution.

[underseacables]

My kids really want an oculus but I absolutely refuse to let Facebook into our house, anymore than I knowingly have to; I’m sure they’ve weaseled in other ways I don’t know about yet.

[serial_dev]

I don't see anything bad with people not trusting their local government... Exhibit A

[sp332]

Maybe they shouldn't blindly trust it, but they should be able to hold it accountable.

[marvindanig]

Well, given that a significant percentage of citizenry is anti-vaxxer-level-stupid, there isn't much improvement over people trusting their local Government either…

[tunap]

Considering in a not too distant yesterday(pre-Covid) the "anti-vaxxers" were all liberal/granola types and now they are magically all conservative/racist types, perhaps you may want to re-assess your 2-dimensional view of the real world. I believe a cogent example was on the front-page of HN just a day or two ago, but IANYG.

[slumdev]

"Not too distant" means only five years ago. The "anti-vaxxers" were people who lived in primarily white, primarily wealthy, primarily urban or suburban environments and who refused (usually) the MMR vaccine.

You don't find measles outbreaks in rural Mississippi. You find them in Washington, New York, and California. [1]

So it's pretty rich to label someone as an "anti-vaxxer" for refusing the experimental, emergency-use, mRNA jabs, when that person has never demonstrated even the slightest hesitancy about receiving or administering every other approved vaccine.

1. https://en.wikipedia.org/wiki/Measles_resurgence_in_the_Unit...

[underseacables]

Labels like anti-vaxxer just seems to be weaponized propaganda to me. It’s a cheap, easy way to discredit someone you don’t agree with. Hopefully as time goes on and disparaging groups throw these accusations back-and-forth of each other, that it eventually dilutes their meaning and impact.

[marvindanig]

lol. I never mentioned the political leanings of the anti-vaxxer type; just that they are either very stupid people or misinformed by propaganda originating somewhere. it's interesting to see multiple downvotes on my comments from the folks who probably saw what's not written up there, just like you did. the "conservative/racist type" you said?

quick question: what made you put the labels conservative and racist together?

also, a liberal eating granola bar might be stupid, but their actions do not put anyone else in danger. an anti-vaxxer however is a risk to the society in that they are an active and potential host to a disease in circulation.

[abnry]

Wow, I thought I was someone who didn't get the app when I checked the icons but once I went into settings, there it was. I even have a NH phone number but live in MA.

[meragrin_]

Did you get vaccinated? If so, did you supply your email address related to your Google account on the form or enough other information to link the two? Did you read all of the related documentation? I wouldn't be surprised if they slipped somewhere on the form that you were agreeing to it.

[shados]

I did supply my email but it's not a Gmail or Google for Work email address nor a domain tied to those. Exposure notification is clearly off. Still got the app.

[megous]

There's even a standard for mobile operators to control the setting in your modem and update/install apps: https://en.wikipedia.org/wiki/OMA_Device_Management

I reverse engineered what this does in practice on pinephone modem (Quectel EG25G), for example, and there are pre-compiled binaries there for tmobile and vodafone that process their particular OMA DM flavors, download some configuration and code from internet and run it under root on the modem's SoC ARM CPU. (that's still isolated over USB from the main pinephone SoC, but obviously not good) It's also thankfully disabled by default, but if you google for oma dm android, you get reports of this protocol being used still.

Whatever it does on regular Android phone depends on how well it is implemented on android. Regular phones don't have two almost-isolated SoCs like pinephone, so oma dm client would probably run on the main SoC, and all depends on how secure that binary blob is or what it does/allows the operator to do.

Quectel software is a bit of a turd, so I woudln't take from this that operators can run random code they make the device download under root user, using this protocol. Most proprietary software like this is pretty shit, so I wouldn't feel warm and fuzzy safe on random Android device either.

[owl57]

Can one use pinephones to collect these blobs, and then try to run them on Android simulator or whatever for more specific knowledge about operators' practices?

[megous]

It's quite modem specific. You'll get more information just decompiling them.

[xeromal]

I was about to say it might be through the carriers. I put a Verizon sim in my phone and I got a bunch of BS apps installed on my phone a few days later.

[dstaley]

I just went through the Exposure Notifications flow on Android, and selected a region where it's not currently available (Arkansas). It displayed a message saying it wasn't supported in my region, and left the setting disabled. While it's still possible that your theory is correct, I certainly don't think it's the intended flow as of now.

[tylercubell]

I have no memory of opting in, I checked under Settings -> Google and "COVID-19 Exposure Notifications" was set to "Off", and the MassNotify app was still installed on my phone. It has no icon and the only way to find it is going to Settings -> Apps & notifications -> See all apps and it comes up under "Massachusetts Department of Public Health". Then when you go to the Google Play Store and search "MassNotify" or "mass notify" or even "Massachusetts Department of Public Health" (the exact name of the app), it doesn't come up in the search results. You have to go to "Manage apps & device" on the Google Play Store then scroll down to "MassNotify" which doesn't even match the name of the app in the other settings menu. This is pretty shady.

[ptero]

I just found this app and removed it. And I definitely did not opt into any kind of covid tracking earlier.

This app seems to use Bluetooth to track potential violations of 6ft personal space and notify people if someone from that list later gets a covid positive test. Whatever the noble goal is I do not want it on my phone, this is creepy!

[studentrob]

When you opt-in, does it notify you of all the permissions the app will require?

- view network connections

- pair with Bluetooth devices

- full network access

- run at startup

- prevent device from sleeping

[dstaley]

Virtually every non-trivial Android application has these permissions, none of which are even important enough for the system to prompt you for permission. The only interesting one is "pair with Bluetooth devices" which is how the Exposure Notifications system works.

[studentrob]

Users expect to see the requested permissions.

[kuschku]

All these permissions are granted without ever being shown to the user, due to being in the "other" category. If you install this app normally, Android will never ask you for permission, but just silently grant these permissions.

[studentrob]

> The permission modal says this [0].

[0] https://news.ycombinator.com/item?id=27558825

[kuschku]

On Android 6.0 (2017) and later, there is no permission modal if all permissions are in the "other" category, as they are in this case.

Android 6.0 introduced requestable permissions, were critical permissions had to be requested (and could be denied) at runtime.

At the same time it removed all modals for non-critical permissions.

[fwn]

"full network access" is a hugely important permission.

My cynical side believes that the reason for it not being as visible as other permissions is that platforms profit from the ad-driven app model, which itself heavily relies on an apps ability to access the internet.

That could also be why stock roms do not allow users to disable full network access on a per app basis. (...like, for example, the camera permission.)

[londons_explore]

It's actually not disableable because there are so many ways to bypass it.

For example, just trick a user into clicking a hyperlink to another app like a browser which does have full internet access, and you have successfully exfiltrated any data in the URL.

[labawi]

Seems like a weak excuse.

I mean sure, you could do that, but it would be complicated, conspicuous, tiring for the user and you would still only get one-sided occasional transfer. It could exfiltrate data, albeit suspiciously, but it wouldn't work for ads .. which are the likely motivating factor.

Other motivating factor may be tracking, which google and vendors want to do, but I'm not sure what the stance would be on others tracking their users.

[schmorptron]

Yeah, this also seems like the most logical reason to me. If your business depends on people seeing ads in apps, why give them the possibility to circumvent them?

[EamonnMR]

I have no memory of opting in to this, but it was installed on my phone.

Updated to add: well I'll be, an hour after this comment and seeing the link show me that Mass Notification was installed, I was prompted to opt-in appropos of nothing.

[stevewodil]

If it makes you feel better (or worse) I specifically opted out and this app is installed

[aceazzameen]

Another MA resident here. Never opted in and it still shows I'm not. The app was silently installed on my Android. There's no icon so I thought it didn't install at first, until I looked at my app list in settings.

I'm curious to know if there's any MA Android users that previously removed Google Play, and if they still have the app or not. My guess is no?

[IG_Semmelweiss]

You cant remove google play in andtoid versions beyond 6 i believe.

You can only disable it

[yjftsjthsd-h]

You can also flash a custom ROM and just not install gapps.

[aceazzameen]

Sorry, I was referring to custom ROMs.

[mackal]

This speculation is 100% wrong. I checked for this app after seeing this and had it listed under updates available (it was installed already)

So I decided to check if I was in fact opted in and I was not opted in. Everything was off and this app was still installed without my consent. I do have automatic UPDATES turned on, but that shouldn't tell Google to just push whatever they want to me. You should probably edit your post saying your speculation is wrong.

I don't know what kind of proof you want, but I 100% never opted in.

[mackal]

lol, just got installed on my tablet. Wasn't there earlier.

[someassholeguy]

This is a great explanation for whats occurring. I'll be interested to see what comes of all of this.

So far what I guess is:

- This is likely a government action via telco and not something done via Google* (*Unless they've opted into a program like the one you stated)

- These phones being affected COULD BE all Carrier Locked phones which have specific terms to allow such behavior.

To me, this is pretty clear cut violation of Google's Device update policy and could be considered Malware or stalkerware (by their definition): https://support.google.com/googleplay/android-developer/answ...

https://support.google.com/googleplay/android-developer/answ...

-----

I think we should all slow down on putting Google for full blame here and focus on Government abuse and overstep of powers.

[JudasGoat]

"These phones being affected COULD BE all Carrier Locked phones which have specific terms to allow such behavior." I use a unlocked Pixel 4a on Google Fi and still got the app.

[enumBoss]

I can only speak for myself, but I checked my settings and the COVID-19 Exposure Notifications setting is set to "Off" and I still had this app pushed silently to my phone. What's even worse is there's no app icon for it on the device and it doesn't show up under your app list. I only knew it was on my device at all because I have auto updates turned off and it was in the queue waiting to be updated in the Play Store.

[combolo]

I never opted in, the setting for COVID notifications has always been OFF, and I still got the app silently installed on my Android phone.

[remram]

I wasn't opted in. I have recently moved to Massachusetts, the app was probably installed during the last system update. I remember seeing a prompt after rebooting my phone to finish the update (this week, Pixel 3a) to enable contact tracing. I said no, but obviously the app had already been installed automatically, and apparently stayed.

[flyinghamster]

To clarify: It's in your Google Account settings, not a separately broken-out setting that you see when you first bring up your phone settings, or at least it's that way on my phone.

[happynacho]

You can be concerned by reading the top comment on this HN thread.