Google Play Now on the Google Toolbar; Play Store Erroneously Installing Russian Email App on Samsung Phones

We’ve got a couple of pieces of Google Play-related stories for you today. First of all, some of you should begin to notice a new addition to the Google toolbar (not the extension for browsers, but the persistent black strip you see at the top of all their sites). It’s a link to the Google Play Store. It’s simple, yet effective. Modest, yet bold. It’s there if you need it.

Secondly, there seems to be a weird bug plaguing handsets of the Samsung variety. It seems a Russian company by the name of OJSC Mobile Telesystems has a  mail app that is automatically appearing on some Samsung handsets.

The name of the app is “MTC Мобильная Почта” and many are puzzled as to how it got there. It seems there’s a plausible explanation for it, and it doesn’t seem to be malicious nor intentional.

The company seems to have given the app the same package name that Samsung gives their email app. As the Play Store uses these package names to identify apps, and since the Play Store can automatically update those apps, the device, by mistake, is downloading an update which replaces the app it shares its package name with. As it is being mistaken for a system app, users are finding it impossible to remove without the use of root.

It’s understandable that users are cautious and assuming, what with all the stories about mobile malware lately. But signs are pointing to this being a simple, honest mistake. XDA developers examined the APK and first signs show that there is nothing malicious inside the app.

This presents an interesting new problem for Google. This is a very, very bad security vulnerability which can be used by malware developers to infect devices who have automatic updates installed. The Google Play Store couldn’t detect a duplicate package name because Samsung’s email app was not in the Play Store – it never has been.

Seven, the company who provides these apps for OEMs and carriers to use, must also reconsider their practice. They’re giving partners apps with the same package name because it’s not intended to be used on the Google Play Store. Simply providing their partners with unique package names for each distribution of the email app would do the trick to ensure nothing like this happens.

We’re not sure what Seven’s policy is on their OEM-tailored clients being uploaded to the Android market, but we want to guess that they’re not quite fond of that. That’s just a guess, though. And, for what it’s worth, OJSC has removed the application from the Google Store, but that still doesn’t help users without root who have no other way to remove the app from their phones. Some phones do have an “uninstall updates” option for apps so be sure to try that if you’re affected by this problem. [via The Verge]

Continue reading: