Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Blocked by Play Protect. This app may be harmful. Install anyway?
4,766 views
Skip to first unread message
paul
May 13, 2021, 11:25:51 AM5/13/21
to
Blocked by Play Protect. This app may be harmful. Install anyway?
I have a brand new Android 11 phone which is configured, by default, for
Google Play Protect (even though I don't even have a Google account).
In a test of SMS SOS emergency apps related to a recent thread, two of about
a dozen apps I installed flagged this Google Play Protect warning.
https://play.google.com/store/apps/details?id=org.aospstudio.securitycenter.button
https://play.google.com/store/apps/details?id=com.mysos.in
Why?
When you try to install them does Google Play pop up the same warning?
Why are they even on the Google Play store if they are flagged as dangerous?
Note that many similar apps I downloaded did not pop up that warning.
https://play.google.com/store/search?q=sos%20alert%20emergency%20%26%20safety%20app
Up until now I've always had Google Play Protect disabled so this is my
first warning from Google Play Protect.
Do you have experience with Google Play Protect so as to expound upon what
happened and why Google allows apps it knows will pop up its own warnings?
I have a brand new Android 11 phone which is configured, by default, for
Google Play Protect (even though I don't even have a Google account).
In a test of SMS SOS emergency apps related to a recent thread, two of about
a dozen apps I installed flagged this Google Play Protect warning.
https://play.google.com/store/apps/details?id=org.aospstudio.securitycenter.button
https://play.google.com/store/apps/details?id=com.mysos.in
Why?
When you try to install them does Google Play pop up the same warning?
Why are they even on the Google Play store if they are flagged as dangerous?
Note that many similar apps I downloaded did not pop up that warning.
https://play.google.com/store/search?q=sos%20alert%20emergency%20%26%20safety%20app
Up until now I've always had Google Play Protect disabled so this is my
first warning from Google Play Protect.
Do you have experience with Google Play Protect so as to expound upon what
happened and why Google allows apps it knows will pop up its own warnings?
VanguardLH
May 13, 2021, 4:48:07 PM5/13/21
to
The Potential Harmful Applications (PHAs) are like PUPs (Probably
Unwanted Programs) in other anti-virus software. PHA/PUP is something
the casual users should not use. It can be used in malicious ways, like
some other program using a PUP to do perform malicious actions. This is
why Nirsoft tools were listed as PUPs for so long, and still are by
several AVs: they provide low-level features that could be misued by
malicious processes. It's considered putting a loaded gun into the
hands of a untrained child. They don't assume, and rightly so, that all
users are educated and trained children.
Did the PHA, or whatever was the warning, from Play Protect actually
stop you from installing or using the app? Or was it just a warning and
it your choice whether to allow the app to install or run? AVs that
warn about PUPs usually let you decided whether to run them or not, and
even may let you whitelist them to eliminate further warnings.
The app's description page at the Play Store says "Shares location".
With whom? Its list of permissions includes:
- Phone
- Directly call phone numbers.
o Has it been verified it only calls the numbers you allowed?
- Read phone status and identity.
o It can track your calls.
- Location
- Precise location (GPS and network-based).
o Needed since that's the point of this app, as long as the info is
only sent to the programmed contacts.
- Device ID & call information
- Read phone status and identity.
o Why would this app need to fingerprint your phone? You're sending
a text with your location. The recipient doesn't need to know
which or whose phone you used.
- Other
o Not explained.
- Updates to this app can automatically add more permissions when it
wants instead of prompting you to allow them.
Considering the divulging of personal data this app can perform, it is
probably considered a PHA/PUP, so you have to okay its installation.
Also your choice to use software from Turkey.
https://www.linkedin.com/company/aospstudio
https://aospstudio.com/en/
Some users care, some don't.
Personally, with this app's ability to text when it wants and to send
info on your location, phone identity, and whatever is "other", I'd want
to use a carrier that lets me view a log of where my phone has texted (a
log of all calls and texts), or use a spying app, to make sure this app
didn't send data anywhere than where I configured it to send.
You are the sysadmin of your phone. Your responsibility of what to
install. The warning is telling a PUP has been presented. Your choice
to install it or drop it. You're given a warning.
It's like those road signs warning of a dip in the road. Most times you
ignore them, because the dip is minor. However, then you hit one that
heaves your heart into your groin. That was just a dip? Similarly,
you're getting a warning that an app might do something untoward, but
maybe that's why you want the app.
paul
May 13, 2021, 11:14:58 PM5/13/21
to
VanguardLH wrote on 13.05.2021 22:48
> https://developers.google.com/android/play-protect/warning-strings
Thank you for unearthing that reference as I had googled and not found
that particular set of all inclusive Google Play Protect warning strings.
The funny thing is the string I took a screenshot of for both apps is:
"This app may be harmful"
That specific string does not show up anywhere in that listing!
Still, the breadth of warnings shows that it's a general purpose scanner.
> The Potential Harmful Applications (PHAs) are like PUPs (Probably
> Unwanted Programs) in other anti-virus software. PHA/PUP is something
> the casual users should not use.
Seems to me that it's a useful feature to leave turned on given it "could"
flag an app that is "more different" than what I may have expected.
For example, it flagged two SOS apps but it didn't flag a dozen others.
So there's "something" different (good or bad) about those two SOS apps.
> Did the PHA, or whatever was the warning, from Play Protect actually
> stop you from installing or using the app?
I didn't install the apps (not knowing how to proceed).
Plus I was only testing the apps for the OP of another thread anyway.
So I wasn't fully invested in the apps anyway.
But to answer your question the warnings (which I screenshoted) give me the
option to hit the "OK" button (which is really a "stop") or to hit an
"Install anyway" link (which most likely would install the app).
Whether or not subsequent GPP scans flag the app once installed is unknown.
> Or was it just a warning and
> it your choice whether to allow the app to install or run? AVs that
> warn about PUPs usually let you decided whether to run them or not, and
> even may let you whitelist them to eliminate further warnings.
Yup. The warning allows me to install (but I didn't install them).
Makes sense your characterization of the tool.
It simply caught me by surprise as I've always disabled GPP in the past but
this is a brand new phone only a few days old so I'm still disabling things.
> The app's description page at the Play Store says "Shares location".
> With whom? Its list of permissions includes:
> ...
I downloaded almost a dozen _other_ SOS apps which didn't flag GPP warnings.
There's something _different_ about these two apps from those others.
Dunno what but I'm not invested in the apps enough to delve deeper.
I just wanted to know what this GPP stuff was as I hadn't seen warnings.
Before you posted I had also googled what GPP was doing on our phones.
To help figure out why Google Play allows apps in Google Play which are
flagged with a warning, I ran a search whose first hit tell me not much
https://support.google.com/googleplay/answer/2812853
"Google Play Protect helps you keep your device safe and secure.
It runs a safety check on apps from the Google Play Store
before you download them."
Umm. OK. Fine.
But what are they _doing_ in the Google Play Store in the 1st place?
Interestingly that support site is wrong in one way which is that it tells
you how to turn the Google Play Protect on or off but it requires Google
Play to follow those instructions.
I never use Google Play directly because I don't have a Google Account and
Google Play (sort of) requires a Google Play signin in order to do anything.
That's not exactly true of course, as Google Play certainly flagged these
apps with the warning even though I've never signed into Google on this
phone, and more so, there are shortcuts to the Google Play updates which
work on the net _without_ having to ever sign into Google play also.
https://play.google.com/store/apps/details?id=com.devhomc.myapps
Anyway, marketing information about Google Play Protect is here
https://www.android.com/intl/en_us/play-protect/
This explains it's a regular interval automatic malware scanner.
https://hackercombat.com/google-launches-play-protect-for-android-device-security/
Here's supposedly "everything you need to know about" Google Play Protect
https://www.rogtechs.com/google-play-protect/
This says it scans everything and not just apps from Google Play Store.
https://iknowallnews.com/technology/what-is-google-play-protect-and-how-does-it-keep-your-android-smartphone-safe/
This says it's "part of the Google Play Store" but that's not fully correct
as I don't log into the Google Play Store even as I download from it.
This older article says Google Play Protect started as "Verify Apps".
https://beebom.com/what-is-google-play-protect-enable-disable/
This says Google Play Protect works on Google Play Services 11 & above.
https://nerdschalk.com/how-to-turn-on-or-off-google-play-protect-on-android/
This says Google used to display badges for verified developer's apps.
https://www.makeuseof.com/tag/google-play-protect-android-secure/
This says malware with encryption can sneak past Google Play Protect.
https://techurdu.net/how-to-protect-your-phone-from-virus-or-malware-the-simplest-way-google-play-protecturduhindi/
Only one of the apps covered why Google Play might flag a perfectly good app
that is on Google Play by singling out Kingoroot, which makes sense to flag
just in case someone doesn't realize it asks for elevated privileges.
> https://developers.google.com/android/play-protect/warning-strings
Thank you for unearthing that reference as I had googled and not found
that particular set of all inclusive Google Play Protect warning strings.
The funny thing is the string I took a screenshot of for both apps is:
"This app may be harmful"
That specific string does not show up anywhere in that listing!
Still, the breadth of warnings shows that it's a general purpose scanner.
> The Potential Harmful Applications (PHAs) are like PUPs (Probably
> Unwanted Programs) in other anti-virus software. PHA/PUP is something
> the casual users should not use.
flag an app that is "more different" than what I may have expected.
For example, it flagged two SOS apps but it didn't flag a dozen others.
So there's "something" different (good or bad) about those two SOS apps.
> Did the PHA, or whatever was the warning, from Play Protect actually
> stop you from installing or using the app?
Plus I was only testing the apps for the OP of another thread anyway.
So I wasn't fully invested in the apps anyway.
But to answer your question the warnings (which I screenshoted) give me the
option to hit the "OK" button (which is really a "stop") or to hit an
"Install anyway" link (which most likely would install the app).
Whether or not subsequent GPP scans flag the app once installed is unknown.
> Or was it just a warning and
> it your choice whether to allow the app to install or run? AVs that
> warn about PUPs usually let you decided whether to run them or not, and
> even may let you whitelist them to eliminate further warnings.
Makes sense your characterization of the tool.
It simply caught me by surprise as I've always disabled GPP in the past but
this is a brand new phone only a few days old so I'm still disabling things.
> The app's description page at the Play Store says "Shares location".
> With whom? Its list of permissions includes:
> Considering the divulging of personal data this app can perform, it is
> probably considered a PHA/PUP, so you have to okay its installation.
Yeah, but.
> probably considered a PHA/PUP, so you have to okay its installation.
I downloaded almost a dozen _other_ SOS apps which didn't flag GPP warnings.
There's something _different_ about these two apps from those others.
Dunno what but I'm not invested in the apps enough to delve deeper.
I just wanted to know what this GPP stuff was as I hadn't seen warnings.
Before you posted I had also googled what GPP was doing on our phones.
To help figure out why Google Play allows apps in Google Play which are
flagged with a warning, I ran a search whose first hit tell me not much
https://support.google.com/googleplay/answer/2812853
"Google Play Protect helps you keep your device safe and secure.
It runs a safety check on apps from the Google Play Store
before you download them."
Umm. OK. Fine.
But what are they _doing_ in the Google Play Store in the 1st place?
Interestingly that support site is wrong in one way which is that it tells
you how to turn the Google Play Protect on or off but it requires Google
Play to follow those instructions.
I never use Google Play directly because I don't have a Google Account and
Google Play (sort of) requires a Google Play signin in order to do anything.
That's not exactly true of course, as Google Play certainly flagged these
apps with the warning even though I've never signed into Google on this
phone, and more so, there are shortcuts to the Google Play updates which
work on the net _without_ having to ever sign into Google play also.
https://play.google.com/store/apps/details?id=com.devhomc.myapps
Anyway, marketing information about Google Play Protect is here
https://www.android.com/intl/en_us/play-protect/
This explains it's a regular interval automatic malware scanner.
https://hackercombat.com/google-launches-play-protect-for-android-device-security/
Here's supposedly "everything you need to know about" Google Play Protect
https://www.rogtechs.com/google-play-protect/
This says it scans everything and not just apps from Google Play Store.
https://iknowallnews.com/technology/what-is-google-play-protect-and-how-does-it-keep-your-android-smartphone-safe/
This says it's "part of the Google Play Store" but that's not fully correct
as I don't log into the Google Play Store even as I download from it.
This older article says Google Play Protect started as "Verify Apps".
https://beebom.com/what-is-google-play-protect-enable-disable/
This says Google Play Protect works on Google Play Services 11 & above.
https://nerdschalk.com/how-to-turn-on-or-off-google-play-protect-on-android/
This says Google used to display badges for verified developer's apps.
https://www.makeuseof.com/tag/google-play-protect-android-secure/
This says malware with encryption can sneak past Google Play Protect.
https://techurdu.net/how-to-protect-your-phone-from-virus-or-malware-the-simplest-way-google-play-protecturduhindi/
Only one of the apps covered why Google Play might flag a perfectly good app
that is on Google Play by singling out Kingoroot, which makes sense to flag
just in case someone doesn't realize it asks for elevated privileges.
VanguardLH
May 14, 2021, 4:13:51 AM5/14/21
to
paul <nos...@nospam.invalid> wrote:
> This explains it's a regular interval automatic malware scanner.
> https://hackercombat.com/google-launches-play-protect-for-android-device-security/
Actually all current anti-virus programs on Android are not on-access
> This explains it's a regular interval automatic malware scanner.
> https://hackercombat.com/google-launches-play-protect-for-android-device-security/
(real-time) scanners, but instead trigger on the installation and
download events. When an app gets installed is when the Android AVs
scan the installation. When you download a file is when the Android AVs
scan the file. All other times the AVs are quirescent. They aren't
monitoring executable images loaded into memory (when apps get loaded),
and they aren't monitoring heuristics to notice untoward behavior during
execution of an app. Guess the presumption is that not letting in
malware at install-time or on download means you won't have malware, but
that assumes the install-time or download scan catches all malware. Yet
we all know that signatures (even those augmented by cloud scans for
unknown processes) and heuristics change over time to catch more malware
that was missed before. AVs on Android are not always watching.
I have not see other Android AVs claim they schedule a periodic scan of
the Android device (in-memory processes and files on all connected
storage). That article above says GPP does a scan at intervals. Okay,
but are those on a fixed schedule, or is some event triggering a call to
initiate an on-demand scan? You'd think they monitor when the phone was
idle, start a scan, but either suspend the GPP process or halt it when
the phone got busy again (with human I/O, not because some other app
(whether foreground or left in background) got some CPU cycles.
I think the "at intervals" is actually some trigger to rescan an app.
Apps get updated which is not an install event, so GPP rescans the
updated app. Could be it keeps a hash of each app, and checks if the
hash changed, but the interval to check could be graduated: the longer
there has been no hash change, the longer between intervals when GPP
checks if the hash changed. This is like stepping further out each
retry as more retries are attempted, so there isn't a flood of immediate
retries by the same process.
> This says Google Play Protect works on Google Play Services 11 & above.
> https://nerdschalk.com/how-to-turn-on-or-off-google-play-protect-on-android/
the Play Store app's settings under Play Protect, there is no info
regarding the version of GPP. Going into Android's Settings and looking
at apps to see versions only tells you the version of the Play Store app
or Google Play Services, not of GPP. Service versions don't match on
the OS version.
If the author is claiming Google Play Services (GPS) in the apps listing
is what decides if you have GPP or not, the author says you need GPS v11
yet mine says I'm at v21.15.15. I'm still back on Android 8.0.0 (LG
discontinued support of that phone about a year ago, and they're not
pushing out OS updates for unsupported devices, so I will never have
Android 11). I'm way past GPS 11, but Android 11 might have an even
later version of GPS 21.15.15 that I have.
Apparently GPS 11 came out a long time ago. Looks like GPP came out
around mid-2017.
paul
May 14, 2021, 10:24:02 AM5/14/21
to
VanguardLH wrote on 14.05.2021 13:43
> Actually all current anti-virus programs on Android are not on-access
> (real-time) scanners, but instead trigger on the installation and
> download events.
Thank you for that information as I had never thought about it before.
Yours is an excellent observation and for all I know, likely very true.
I googled it after I read that and I'm not sure what the truth really is.
https://www.malwarebytes.com/android/
"A privacy audit tells you which apps are monitoring your every move."
"Real-time protection shields your device from infection."
"Scans for phishing URLs when you're using the Chrome browser"
"Keep tabs on which apps can track your location"
"Searches all files and apps quickly and effectively for malware"
Dunno how much of that is clever advertising designed to make you feel
protected "real time" even if the scan only happens upon download/install.
> When an app gets installed is when the Android AVs
> scan the installation. When you download a file is when the Android AVs
> scan the file.
I don't disbelieve you and it's a good observation to test out for assurity.
They _advertise_ using "real & time" but advertising isn't always correct.
"Avira: Provides real-time malware protection"
https://www.avira.com/en/free-antivirus-android
This implies that "Android does not provide low-level information to
third-party apps" which would have allowed them access for real-time scans.
IEEE: SpyDroid:
A Framework for Employing Multiple Real-Time Malware Detectors on Android
https://ieeexplore.ieee.org/document/8659365
But these papers seem to indicate Android real time scans are possible.
https://link.springer.com/article/10.1007/s11042-016-4189-1
However even that one it can't detect "use of Rootkit at the kernel level."
This paper suggests another real-time approach to detect network traffic
A Real-time Android Malware Detection System Based on Network Traffic Analysis
https://www.researchgate.net/publication/300139707_A_Real-time_Android_Malware_Detection_System_Based_on_Network_Traffic_Analysis
> But you won't know which version of GPP that you have. When you go into
> the Play Store app's settings under Play Protect, there is no info
> regarding the version of GPP. Going into Android's Settings and looking
> at apps to see versions only tells you the version of the Play Store app
> or Google Play Services, not of GPP. Service versions don't match on
> the OS version.
This is good information to know as I never looked at GPP before this week!
A quick look in my app manager shows what you said to be true as I have
Google Play services com.google.android.gms v21.15.15
Google Play Services for AR com.google.ar.core v1.24.210950403
Google Play Store com.android.vending v25.2.22-21
Nothing else says "google play" in it and none are even close to gpp.
I also searced for "gpp" and "protect" (just in case it showed up there).
You're right; you have no obvious way of telling the GPP version.
Unless that information was wrong in the first place, which I don't know.
> If the author is claiming Google Play Services (GPS) in the apps listing
> is what decides if you have GPP or not, the author says you need GPS v11
> yet mine says I'm at v21.15.15. I'm still back on Android 8.0.0 (LG
> discontinued support of that phone about a year ago, and they're not
> pushing out OS updates for unsupported devices, so I will never have
> Android 11). I'm way past GPS 11, but Android 11 might have an even
> later version of GPS 21.15.15 that I have.
I'm on a free Samsung with Android 11 that I received only days ago.
I never would add a Google Account (nor a Samsung Account). Never.
But when I open up Google Play and hit the 3 dots, "things happen".
One of those things is I can turn off the auto update of apps.
Another of those things is I can check the update status of apps.
But a third thing is there's a menu item for Google Play Protect.
I hit that menu Google Play Google Play Protect menu item to see what it
would tell me but it just said "No harmful apps found" and then
"Play Protect scanned yesterday". Hmmmmmmmm.... Did I initiate that scan?
It says it scanned 108 apps yesterday and it has a button to "Scan" now.
"Play Protect regularly checks your apps and device for harmful behavior."
For example, this article says it should be version 11 of "GPS"
https://nerdschalk.com/how-to-turn-on-or-off-google-play-protect-on-android/
"Google Play Protect is available for devices running on Google Play
Services version 11 and above and is enabled by default on your device."
I noticed just now that the Google Play Store Google Play Protect menu
is the same Google Play Protect menu that pops up on Android 11 when I go to
Settings > Google > Security > Google Play Protect > Security Status
With the added information of "Apps scanned yesterday at 4:29PM."
> Apparently GPS 11 came out a long time ago. Looks like GPP came out
> around mid-2017.
Thank you for delving deeper into what Google Play Protect is, and more
importantly what it isn't, as most of us take this stuff for granted.
Most of us "infer" whatever we "want to infer" about most things (it's human
bias at work) so it's excellent that you're doublechecking such things.
For now I will leave the Google Play Protect scanning on but any more
information you (or anyone else) has about GPP would help all of us
make good decisions.
> Actually all current anti-virus programs on Android are not on-access
> (real-time) scanners, but instead trigger on the installation and
> download events.
Yours is an excellent observation and for all I know, likely very true.
I googled it after I read that and I'm not sure what the truth really is.
https://www.malwarebytes.com/android/
"A privacy audit tells you which apps are monitoring your every move."
"Real-time protection shields your device from infection."
"Scans for phishing URLs when you're using the Chrome browser"
"Keep tabs on which apps can track your location"
"Searches all files and apps quickly and effectively for malware"
Dunno how much of that is clever advertising designed to make you feel
protected "real time" even if the scan only happens upon download/install.
> When an app gets installed is when the Android AVs
> scan the installation. When you download a file is when the Android AVs
> scan the file.
They _advertise_ using "real & time" but advertising isn't always correct.
"Avira: Provides real-time malware protection"
https://www.avira.com/en/free-antivirus-android
This implies that "Android does not provide low-level information to
third-party apps" which would have allowed them access for real-time scans.
IEEE: SpyDroid:
A Framework for Employing Multiple Real-Time Malware Detectors on Android
https://ieeexplore.ieee.org/document/8659365
But these papers seem to indicate Android real time scans are possible.
https://link.springer.com/article/10.1007/s11042-016-4189-1
However even that one it can't detect "use of Rootkit at the kernel level."
This paper suggests another real-time approach to detect network traffic
A Real-time Android Malware Detection System Based on Network Traffic Analysis
https://www.researchgate.net/publication/300139707_A_Real-time_Android_Malware_Detection_System_Based_on_Network_Traffic_Analysis
> But you won't know which version of GPP that you have. When you go into
> the Play Store app's settings under Play Protect, there is no info
> regarding the version of GPP. Going into Android's Settings and looking
> at apps to see versions only tells you the version of the Play Store app
> or Google Play Services, not of GPP. Service versions don't match on
> the OS version.
A quick look in my app manager shows what you said to be true as I have
Google Play services com.google.android.gms v21.15.15
Google Play Services for AR com.google.ar.core v1.24.210950403
Google Play Store com.android.vending v25.2.22-21
Nothing else says "google play" in it and none are even close to gpp.
I also searced for "gpp" and "protect" (just in case it showed up there).
You're right; you have no obvious way of telling the GPP version.
Unless that information was wrong in the first place, which I don't know.
> If the author is claiming Google Play Services (GPS) in the apps listing
> is what decides if you have GPP or not, the author says you need GPS v11
> yet mine says I'm at v21.15.15. I'm still back on Android 8.0.0 (LG
> discontinued support of that phone about a year ago, and they're not
> pushing out OS updates for unsupported devices, so I will never have
> Android 11). I'm way past GPS 11, but Android 11 might have an even
> later version of GPS 21.15.15 that I have.
I never would add a Google Account (nor a Samsung Account). Never.
But when I open up Google Play and hit the 3 dots, "things happen".
One of those things is I can turn off the auto update of apps.
Another of those things is I can check the update status of apps.
But a third thing is there's a menu item for Google Play Protect.
I hit that menu Google Play Google Play Protect menu item to see what it
would tell me but it just said "No harmful apps found" and then
"Play Protect scanned yesterday". Hmmmmmmmm.... Did I initiate that scan?
It says it scanned 108 apps yesterday and it has a button to "Scan" now.
"Play Protect regularly checks your apps and device for harmful behavior."
For example, this article says it should be version 11 of "GPS"
https://nerdschalk.com/how-to-turn-on-or-off-google-play-protect-on-android/
"Google Play Protect is available for devices running on Google Play
Services version 11 and above and is enabled by default on your device."
I noticed just now that the Google Play Store Google Play Protect menu
is the same Google Play Protect menu that pops up on Android 11 when I go to
Settings > Google > Security > Google Play Protect > Security Status
With the added information of "Apps scanned yesterday at 4:29PM."
> Apparently GPS 11 came out a long time ago. Looks like GPP came out
> around mid-2017.
importantly what it isn't, as most of us take this stuff for granted.
Most of us "infer" whatever we "want to infer" about most things (it's human
bias at work) so it's excellent that you're doublechecking such things.
For now I will leave the Google Play Protect scanning on but any more
information you (or anyone else) has about GPP would help all of us
make good decisions.
Erna Natasya
Feb 5, 2023, 5:50:28 AM2/5/23
to
0 new messages