The Case of the Unintended Android Application Upgrade

There has been a lot of confusion over the last hours after an application named “МТС Мобильная Почта” was automatically added to the My Apps section of some Samsung devices as an apparent application upgrade. However, these devices have never installed this application. Some users thought this was a bug within Google’s upgrading mechanism, but it appears Google is not responsible for these unintended updates.

When Android was first released, Symantec attempted multiple upgrade scenarios to determine what fields were mandatory for an upgrade to occur and to test if rogue publishers could replace existing applications. Applications developed for the Android platform are required to declare a unique identifier, known as the package name. We determined that along with this unique identifier three other items are required before an application can be updated through Google Play:

  • The upgraded application must be signed with the same signature as the existing package
  • The versionCode and versionName for the upgraded application must have higher values than the existing application

The above signature requirement prevents issues if independent parties accidentally choose the same package name. Also, as a side note, users of the Google Play automatic update feature will get automatic upgrades deployed to their devices only if the application doesn’t require more permissions than the existing one. This is another countermeasure to prevent malicious publishers from elevating privileges.

However, a few hours ago, some Android users started seeing the application published by MTS appearing as an upgrade for an unrelated Samsung app named Social Hub. Unfortunately, both used the same package name ''.

Samsung’s Social Hub is an application that comes pre-installed with some devices, and has never been published in Google Play.

Samsung’s Social Hub is signed by a company named Seven who develop mobile applications:

       Version: 3 (0x2)
       Serial Number: 1235473566 (0x49a3d49e)
       Signature Algorithm: sha1WithRSAEncryption
       Issuer: C=US, ST=California, L=Redwood City, O=Seven Networks, OU=Seven Networks, CN=Seven Networks
           Not Before: Feb 24 11:06:06 2009 GMT
           Not After : Jul 12 11:06:06 2036 GMT
       Subject: C=US, ST=California, L=Redwood City, O=Seven Networks, OU=Seven Networks, CN=Seven Networks

Accidentally using the same package name, however, is not enough to allow an upgrade over another unrelated application. In this case, the signing key of the MTS application is also the same and this simply appears to be a case of an outsourced developer accidentally using the same signature and package name for two of their products: one given to Samsung and another given to MTS.

Interestingly, our records show a 'com.sevenZ7' application has been available in the Android Market since late 2011. Likely the issue has only arisen now because the version numbers are greater than the Samsung application, fulfilling one of the key criteria for an upgrade to occur.

Update: Google has now suspended the application, so it is no longer available for download from Google Play.