What We Talk About When We Talk About Malware

Wait 5 sec.

If you are running Android 8 or higher, a virus has been installed on your device and is silently awaiting remote activation. Over the past few months, devices around the world have been infected with this novel strain, with as many as 4 billion Android handsets and tablets estimated to have already been contaminated, meaning that around half of all humanity may be at risk from this threat.Disguising itself as the innocuously-titled “Android Developer Verifier” (ADV) process, this trojan horse runs surreptitiously in the background as a system service with full root privileges, quietly awaiting an activation signal. The service cannot be blocked, disabled, or removed. Unlike a commonplace bit of malware, this extraordinary strain won’t be detected and neutralized by Play Protect (the malware scanning and remediation service that is installed on all Android Certified devices). In fact, Play Protect is itself the vector through which this virus is transmitted and installed.That is because it is Google themselves who is propagating ADV.And once activated, this malevolent process has exactly one goal: to block you from running software by developers who haven’t been approved centrally by Google.Threat masquerading as ProtectionWe first raised the alarm about the Android Developer Verification program last September (“F-Droid and Google’s Developer Registration Decree”) shortly after it was first announced. Google’s looming requirement that all Android developers register themselves centrally is rationalized as a solution to help stem the spread of malware. However it doesn’t actually feature any capabilities to prevent a malevolent actor from distributing malware in the first place; the only alleged benefit of ADV is that it may help slow the actions of an already-identified recidivist by requiring that they create (or buy) another account in order to continue distributing their malware with a new signing key.For this fairly narrow threat vector of malware recidivism, a variety of considerably less draconian solutions have been proposed. Play Protect itself could be enhanced to scrutinize more closely those newly-installed apps that have elevated permissions or that were obtained through suspect channels, continuing with their recently touted advances in on-device security capabilities. Or a system of federated verifiers might be implemented (as proposed in “DCM: A Developers Certification Model for MobileEcosystems”, 2023) that would empower end-users to select their own trusted curators and authorities for ex-ante approval. Instead, Google has used this minor vector as a pretext to radically re-engineer the entire Android ecosystem by fiat, upending a 18 year tradition of open software development and positioning themselves as the world’s sole gatekeeper for which apps are permitted to exist.What They Talk About When They Talk About MalwareShould a developer — contrary to our recommendation — elect to register themself with Google as a “verified” developer, they should expect to sign up for an account and pay a fee, surrender detailed personal information and upload government-issued identification, and then proceed to register the identifiers and signing keys for all the apps they intend to distribute (now or ever).But the most diabolical stage is the compulsory agreement to the Android Developer Console Terms of Service. There are numerous causes for disquiet in this document, but the most concerning of all ought to be: 6.5 If You violate any of the Terms or if You distribute malware or other harmful applications, Google may terminate Your access to the ADC…This reasonable-sounding clause begs the question: what exactly is meant by “malware”? No definition of the term is to be found anywhere in the document. With the absence of any formal definition, standard, or guideline, it implicitly states: …and “malware” means whatever we say it means.As we discussed in “What We Talk About When We Talk About Sideloading”, beware the dangers of allowing the terminology of debate to be defined by those who don’t have your best interests at heart. Malware being synonymous with “software we don’t like” means that they can unilaterally dictate — driven either by business incentives or by being compelled by a sufficiently powerful government — what the malware-du-jour definition is to be.For precedent, personal content filtering in the form of “ad blockers” has long since been banned from the Play Store, and they have even classified some instances as malware. How long before they designate all ad-blocking software as malware, block installation on all Android certified devices worldwide, and permanently designate all developers of this class of software as malware creators? Such a move would certainly be aligned with their commercial incentives as the global ad-tech monopolist, and would be completely in accordance with the language of their ADC Terms and Conditions.Like a Lead BalloonIn terms of voluntary developer uptake, they recently claimed that “over 99% of [Play developers’] apps have been registered” suggests that ADV is somehow a popular and widely-accepted dictate. That couldn’t be further from the truth: those 99% of developers were auto-opted-in without their informed consent due to being already bound by their Play Store agreements.In fact, hundreds of thousands of people have signed a petition opposing ADV. The Open Letter at keepandroidopen.org denouncing the program has been signed by over 70 organizations around the world, including the EFF, FSF, FSFE, ACLU, and the inestimable Forbrukerrådet. Any internet search, chatbot query, or social media poll will confirm that the opposition to this program is overwhelming and the condemnation is universal. 90% of viewers of the developer roundtable video where they attempt to defend the program registered a dislike of the spectacle, and even Google Gemini responds to inquiries about the popularity of the program with: Aside from Google itself, finding full-throated, enthusiastic support for the mandatory Android Developer Verification program in the tech community is virtually impossible. The backlash is overwhelmingly dominant—headlined by the “Keep Android Open” coalition of civil rights and open-source groups fiercely opposing the central registration requirement.And yet their lockdown blitzkrieg proceeds apace. Legislators and regulators have thus far been unreceptive to the outcry. Our own position as a bastion of software freedom and respect for user rights and privacy is in extreme jeopardy. The F-Droid model of security and trust through open-source transparency is fundamentally at odds with the “trust me bro” security model of the closed-source commercial app stores. And while these two models have been able to co-exist for the past 16 years of F-Droid’s existence, it appears that Google intends to establish a regime where they alone have a monopoly on the definitions of “security” and “trust”.What to Expect in the Days to ComeWe do not yet know the exact failure mode to expect when the ADV activation is triggered on September 30. If you are one of the 580 million people living in Brazil, Indonesia, Singapore, or Thailand, know that these are the first four targets of the ADV lockdown according to their published timeline (global rollout is ominously predicted to then occur throughout “2027 and beyond”).There are many things we don’t know about what to expect on September 30. Some common questions that we do not yet have the answer to, for those in the afflicted regions, are: What will happen if I try to install or launch the F-Droid app? What will happen to all the apps I’ve installed through F-Droid? Will they be disabled? Deleted? If apps that I rely on are suddenly disappeared, what happens to the data they contain? Can I still retrieve it? With all software installations and launches now being reported back to Google for verification, what specific information does that telemetry include?We have reached out to the malware vendor with our inquiries. In the coming weeks and months leading up to the lockdown, we will be publishing more guidance and support for those due to be impacted by ADV.