I was reading about this yesterday and confirmed that I did not have
gov.ma.covid19.exposurenotifications.v3 nor gov.ma.covid19.exposurenotifications installed. I turned off auto-updates in the Play store (Settings -> Network preferences -> Auto update apps -> Don't auto update apps) and went to sleep. This morning I woke up with a cheerful notification that Google can help with COVID notifications and gov.ma.covid19.exposurenotifications.v3 installed -- the app was pushed overnight over explicit instructions NOT to update (sure, one can say auto-install != auto-update, but it is worrying that forced pushes can happen even with every single relevant UI switch turned off).
adb logcat seems to have the following relevant lines:
06-19 09:27:54.481 1689 1990 I PackageManager: Integrity check passed for file:///data/app/vmdl1074248108.tmp
[..]
06-19 09:27:55.580 1689 5456 D PackageInstallerSession: Ignoring abandon after commit relinquished control
[..]
06-19 09:27:55.649 1689 2530 W BroadcastQueue: Background execution not allowed: receiving Intent { act=android.intent.action.PACKAGE_ADDED dat=package:gov.ma.covid19.exposurenotifications.v3 flg=0x4000010 (has extras) } to com.google.android.packageinstaller/com.android.packageinstaller.PackageInstalledReceiver
(+ lots of other similar intents)
After that the package immediately becomes active:
06-19 09:27:56.539 1689 13571 D ConnectivityService: requestNetwork for uid/pid:10450/30673 NetworkRequest [ TRACK_DEFAULT id=1249, [ Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED Uid: 10450 AdministratorUids: [] RequestorUid: 10450 RequestorPackageName: gov.ma.covid19.exposurenotifications.v3] ]
06-19 09:27:56.540 1689 3625 D ConnectivityService: NetReassign [1249 : null → 102]
[..]
06-19 09:27:56.833 1689 3750 E JobScheduler.Background: App gov.ma.covid19.exposurenotifications.v3 became active but still in NEVER bucket
So no, it is not just "oh those people opted in and just forgot".
Remember when Tim Cook put Bono's album in the iTunes library of everybody? That's when it felt that the smartphones are not our devices. Someone you don't know can and U2 album to your library without you ask for it or being able to do anything about it.
You can understand it with an OS update. It's the new shiny thing that comes with bunch of stuff and this new one has this new app.
However, getting it without action on our own part feels very wrong. Even with games, you would receive a pack or something that you can take action to activate. When it's happening without our action, it messes up with our sense of control and continuity.
Omg are you serious?! I have forever wondered how the heck I somehow managed to get the U2 album on my phone. I used to put a lot of music on my phone and assumed I did it by accident some how even though I didn’t own the U2 album (I used to download a lot of music back then so assumed did by accident). That solves a crazy long lived mystery on my end thank you. I don’t even know how I feel about that now. I don’t like that they can push things to my device. What is next photos? If someone can just insert data into a phone how can we in a court of law accept that it wasn’t false? I really hope some follow up on how this happened comes out.
If they had simply made it free to download for 24 hours, or pay-what-you-want donated to charity, few would have complained, and it would probably have generated a lot of positive rather than negative publicity.
I’d say that if a single album is a minuscule change to the list and wouldn’t make finding music any harder. If it is a major change (such as a list of 10), then I could see it being “bloat”, but it’s not like you couldn’t delete it.
It doesn't "come with" this backdoor. It is this backdoor. Maintaining a connection with the Google mothership is, approximately, Play Service's entire function.
I'm not affected by this, but that's an interesting idea. I wonder what'll happen if I report this (assuming Google has a place to report vulnerabilities in its products). They'd probably dismiss it as "invalid" because, see, it's not an RCE if it's only exploited by a "trusted party" like Google themselves.
This is why I like installing a firewall in my phone.
I have used Glasswire and am pretty happy with it (no affiliation) because it allows me to block individual apps from having internet connectivity, and can configure it to notify me the first time an app tries to connect.
Of course, the problem is that it's a hassle to have to check and block new stuff, or unblock when I need to use something (e.g. Uber).
Yes, I confirmed last night that Settings -> Google -> COVID-19 Exposure Notifications was off. (Aside, I read somewhere but have not confirmed this myself that manually enabling that setting leads to a flow for installing the gov.ma.covid19.exposurenotifications app, whereas the forced update is gov.ma.covid19.exposurenotifications.v3 -- note the extra v3). By the way, MassNotify app is not visible from Play Store search (both on mobile and on desktop -- https://play.google.com/store/search?q=MassNotify) and does not create an icon -- you can only find it in Play Store via its internal name (e.g. a link like https://play.google.com/store/apps/details?id=gov.ma.covid19...), and would have to specifically look in system dialog for all apps to see if it is installed.
gov.ma.covid19.exposurenotifications.v3 nor gov.ma.covid19.exposurenotifications installed. I turned off auto-updates in the Play store (Settings -> Network preferences -> Auto update apps -> Don't auto update apps) and went to sleep. This morning I woke up with a cheerful notification that Google can help with COVID notifications and gov.ma.covid19.exposurenotifications.v3 installed -- the app was pushed overnight over explicit instructions NOT to update (sure, one can say auto-install != auto-update, but it is worrying that forced pushes can happen even with every single relevant UI switch turned off).
adb logcat seems to have the following relevant lines:
After that the package immediately becomes active: So no, it is not just "oh those people opted in and just forgot".