search

celzero / rethink-app

DNS over HTTPS / DNS over Tor / DNSCrypt client, WireGuard proxifier, firewall, and connection tracker for Android.
https://rethinkfirewall.com/
Apache License 2.0
2.6k stars 130 forks source link

Potential Galaxy Store phishing #1526

Open AykutCevik opened 2 weeks ago

AykutCevik commented 2 weeks ago

Hello,

I came across an update notification on my Samsung device and was surprised since I didn't install the app mentioned in the app updates section of the Galaxy Store:

screenshots image1: ![image](https://github.com/celzero/rethink-app/assets/1965251/22f64ee1-b7dc-4f69-ae39-75bebf6f5572) image2: ![image](https://github.com/celzero/rethink-app/assets/1965251/3435857c-9160-4422-832f-2f26bb3a7f87)

The Galaxy store listing: https://apps.samsung.com/appquery/appDetail.as?appId=com.celzero.bravedns

After looking deeper into it, it seems someone uploaded the Rethink app with the same package name to the store and made a few changes to the UI.

I see a potential security risk here: I'm not sure if the Galaxy Store is checking against the PlayStore app certificate of Rethink before allowing the user to update. Actually the Android system should make sure about it but wouldn't rely on that as the Galaxy Store is installed as a system app. Not mentioning the confusion this causes now at the user side.

How would you rate this concern? I would suggest that Rethink is claiming the package in the store even if it is not used.

ignoramous commented 2 weeks ago

How would you rate this concern?

Grave. To be honest, it is on Samsung if they mislead their own users and allow for app squatting.

I would suggest that Rethink is claiming the package in the store even if it is not used.

Unsure how to achieve this (we have no plans release Rethink in Galaxy Store).

AykutCevik commented 2 weeks ago

I attempted to report the issue via the Galaxy Store; however, this requires the app to be installed through the Galaxy Store. Given Samsung’s significant market share, this is a notable concern.

Releasing updates to the Galaxy Store appears to be a substantial effort, involving an additional process as detailed on the Samsung Seller Portal.

yesterdays-jam commented 2 weeks ago

This is very concerning, luckily I never allow any apps to auto update from whatever store front.

Tried to report it on the listing but it's not letting me because I didn't purchase it.

Edit: there doesn't seem to be any way to report samsung store issues to samsung. Only way I can think of doing it is writing an error report and sending it in via samsung members but that's usually for reporting application or phone errors to them.

ignoramous commented 2 weeks ago

there doesn't seem to be any way to report samsung store issues to samsung.

May be their forums work better? https://us.community.samsung.com/

I'm totally flummoxed. How can Samsung update any app with someone else's from their own store. Unbelievable.

Releasing updates to the Galaxy Store appears to be a substantial effort, involving an additional process as detailed on the Samsung Seller Portal.

Sounds like Samsung thinks bullying app developers to launch on their Store (or else, let someone else phish) is good strategy.

yesterdays-jam commented 2 weeks ago

there doesn't seem to be any way to report samsung store issues to samsung.

May be their forums work better? https://us.community.samsung.com/

I'm totally flummoxed. How can Samsung update any app with someone else's from their own store. Unbelievable.

Releasing updates to the Galaxy Store appears to be a substantial effort, involving an additional process as detailed on the Samsung Seller Portal.

Sounds like Samsung thinks bullying app developers to launch on their Store (or else, let someone else phish) is good strategy.

I've posted it on their community but it's pretty much a dead community lol

ignoramous commented 2 weeks ago

Thanks. Appreciate it.

At least I can't see the app on their website anymore from where I am. Not sure if the app has been removed from ALL countries: https://apps.samsung.com/appquery/appDetail.as?appId=com.celzero.bravedns

yesterdays-jam commented 2 weeks ago

Thanks. Appreciate it.

At least I can't see the app on their website anymore from where I am. Not sure if the app has been removed from ALL countries: https://apps.samsung.com/appquery/appDetail.as?appId=com.celzero.bravedns

The link still shows on mine.

yesterdays-jam commented 2 weeks ago

Thanks. Appreciate it.

At least I can't see the app on their website anymore from where I am. Not sure if the app has been removed from ALL countries: https://apps.samsung.com/appquery/appDetail.as?appId=com.celzero.bravedns

Minor update, someone from the team at samsung has replied to my error report (sent them an error report via their members app) and they've got someone from the team looking at it.