Google Play Protect detect SpamBlocker as a malicious app since v1.7 release

[djelloul78]

Bonjour,

I'm opening this issue but it's not really something related to a malfunction or an enhancement request.

I've just installed last published release (v1.7) on F-Droid this morning and I have been warned by Google Play Protect that your app is dangerous to be installed. It makes the app considered malicious and I see regular notifications on Google Play Store requesting to uninstall your app.

I reverted back to v1.5 and no more alert was raised anymore. Same with v1.6, no warning alert. But as soon as I try to install v1.7, warnings and alerts come back. I have made the same exercise with GitHub releases and conclusions are the same.

It seems something doesn't fit Google Play Protect rules, probably for something in which it overreact, but I think you should take a look about this aspect. Many SpamBlocker users comes from "Yet Another Call Blocker" app that ended with the same Google Play Protect restrictions but it isn't maintained anymore (no update since more than 3 years) and some users are afraid of using it because of these alerts and warnings.

It will be sad if your app ends with less success than it deserves just because some GAFAM group has decided that your app doesn't follow their SW specification...

I don't think there's any emergency or mandatory request to update the app according to this remark. Consider this message more as a notification that can explain why there could be less download or user of your app in the next months.

What do you think?

Thank you for your attention.

[aj3423]

Thanks for the feedback. I can reproduce this with v1.7.

Seems it is mark as dangerous by the apk signaure, I tested by adding 1 line of useless code to the v1.7 and it doesn't show the warning anymore.

Maybe because google only scans apps that have more than 100 users.

These two permissions QUERY_ALL_PACKAGES, PACKAGE_USAGE_STATS are dangerous, previously I read this from google docs, they would require a (video) explanation for why they are required. F-Droid devs had asked about this too(link) and I recorded a screencast for that. I guess this is why google blocks this app.

I'll publish to google soon.

[djelloul78]

Don't stress yourself for Google publishing... F-Droid is an alternative that fits people looking for another way to use their devices in compliance with open source solutions and make the link between us and talented people as you are.

If Google does restrict some external app to be part of their store, why not. But blaming an app being malicious with no evidence of that, it's another story that I really don't appreciate.

Keep up the good job!

[djelloul78]

I think I've understood how Google Play Protect list apps for secure usage.

I had recently installed your 1.8 latest tag. As soon as I've tried to install them, I've received a Google Play Protect pop-up saying that this app is unknown from its database and it needs to be scanned before being installed. After the quick scan, it allows me to install it safely.

I think the app is qualified at this exact moment and a sort of unique signature (CRC, Checksum, etc...) is stored in a database used by Google Play Protect when it encounters the same app again on other devices.

I can confirm this supposed behaviour because I've faced the security control pop-up in your 2 last pre-released tag and now it doesn't show anymore. I've proceeded by installing the app in 2 different devices. My daily one and my professional one. I've installed a first pre-release in my daily device, faced control and scan and installed it. 1h later, I've made the same with my Pro device, and no security pop-up had been shown. On your second pre-released tag, I've installed it first on my Pro device, this time I had the security and scan pop-up, then waited 1h before installing it on my daily device: No security and scan pop-up.

Seems the Google Play Protect is a service mainly based on users hidden contribution. The first user that faces an unknown released app will determine the default qualification that applies for every other users.

This means you should be very careful with your SW main releases because if the first qualification is said "Unsecure", knowing how Google services are slow to react and stubborn to correctly understand, it will be a real pain in the a*s to contact them in order to find a solution together or not blacklist your work for nothing.

I know you're targeting to publish your app on Google Play Store and such controls will be automated to be allowed to do so, but until then, I advise you to be aware of this aspect.

Thank you for your attention.

[aj3423]

I also install these releases on my phone, I'm the first one who installed them, but I've never seen any popup at the time.

I just tested v1.7, v1.8, and latest version on two phones with different google accounts (different countries)

• v1.7 shows popup warning on one phone but not the other
• v1.8 and latest version, no popup at all

But my popup shows "it's harmful and blocked", not "the app is unknown from its database and it needs to be scanned".

Maybe it's also based on country or device, I'm a bit confused. But since all issues have been completed, I'm working on publishing to play store.

[djelloul78]

Congratulations!

That's a great step you've just passed. I wish you lots of success, now that your on a mainstream publishing platform.

Your app is great and it deserves more visibility.

[aj3423]

Well, Google exposes the personal information of individual developers. For my privacy, I unpublished this app, let's just ignore that installation warning :)