来自谷歌的新型安卓恶意软件
A new Android malware from Google

原始链接: https://f-droid.org/2026/07/01/adv-malware.html

本文批评了谷歌的“安卓开发者验证”(ADV)计划,指出这是一项限制性的系统级举措,破坏了安卓系统的开源本质。作者认为,谷歌通过“Play 保护机制”强制执行中央注册,实际上充当了唯一的守门人,拥有单方面定义并封锁所谓“恶意软件”的权力。 文章警告称,由于谷歌未对“恶意软件”给出明确定义,该系统可能会以安全为幌子,压制如广告拦截软件等竞争对手。尽管谷歌声称该计划旨在防止恶意活动,但包括大型民权和开源组织在内的批评者认为,这是一项不必要且严苛的措施,强制收集个人数据并集权化管控。 文章对该强制令损害软件自由和用户自主权深表担忧。随着该计划在部分地区率先推出,作者警告称,谷歌正在瓦解过去 18 年的开放式开发模式,构建一种“信任我”的安全模型,这威胁到了 F-Droid 等独立软件存储库的生存。作者目前尚无法确定即将到来的强制执行所带来的具体技术影响,但正积极为受此安卓生态系统变革影响的用户准备相关指南。

一篇关于 Hacker News 讨论的文章批评了谷歌的“安卓开发者验证器”(ADV),作者将其定性为国家支持的“恶意软件”。争议的核心在于,谷歌通过其 Play Protect 服务引入了一项系统级进程,允许他们远程拦截任何被其视为“未经授权”的软件。 评论者对事态的严重性看法不一。文章的批评者认为“恶意软件”这一说法过于夸大,可能会损害那些倡导安卓开放性人士的公信力。然而,另一些人则支持这种观点,指出谷歌模糊的服务条款赋予了其定义“恶意软件”的宽泛且不受限制的权力,这实际上创造了一个反映了专有软件最糟糕一面的“围墙花园”。 讨论还涉及了此类技术的“滑坡效应”,一些用户担心这最终会导致广告拦截器和独立软件被禁止。尽管一些人仍然乐观地认为技术或监管的转变可以平衡这些担忧,但另一些人警告称,一旦这种侵入式基础设施建立并集成到操作系统中,几乎就不可能再撤销了。
相关文章

原文

If you are running Android 8 or higher, a virus has been installed on your device and is silently awaiting remote activation. Over the past few months, devices around the world have been infected with this novel strain, with as many as 4 billion Android handsets and tablets estimated to have already been contaminated, meaning that around half of all humanity may be at risk from this threat.

Disguising itself as the innocuously-titled “Android Developer Verifier” (ADV) process, this trojan horse runs surreptitiously in the background as a system service with full root privileges, quietly awaiting an activation signal. The service cannot be blocked, disabled, or removed. Unlike a commonplace bit of malware, this extraordinary strain won’t be detected and neutralized by Play Protect (the malware scanning and remediation service that is installed on all Android Certified devices). In fact, Play Protect is itself the vector through which this virus is transmitted and installed.

That is because it is Google themselves who is propagating ADV. And once activated, this malevolent process has exactly one goal: to block you from running software by developers who haven’t been approved centrally by Google.

Threat masquerading as Protection

We first raised the alarm about the Android Developer Verification program last September (“F-Droid and Google’s Developer Registration Decree”) shortly after it was first announced. Google’s looming requirement that all Android developers register themselves centrally is rationalized as a solution to help stem the spread of malware. However it doesn’t actually feature any capabilities to prevent a malevolent actor from distributing malware in the first place; the only alleged benefit of ADV is that it may help slow the actions of an already-identified recidivist by requiring that they create (or buy) another account in order to continue distributing their malware with a new signing key.

For this fairly narrow threat vector of malware recidivism, a variety of considerably less draconian solutions have been proposed. Play Protect itself could be enhanced to scrutinize more closely those newly-installed apps that have elevated permissions or that were obtained through suspect channels, continuing with their recently touted advances in on-device security capabilities. Or a system of federated verifiers might be implemented (as proposed in “DCM: A Developers Certification Model for Mobile Ecosystems”, 2023) that would empower end-users to select their own trusted curators and authorities for ex-ante approval. Instead, Google has used this minor vector as a pretext to radically re-engineer the entire Android ecosystem by fiat, upending a 18 year tradition of open software development and positioning themselves as the world’s sole gatekeeper for which apps are permitted to exist.

What They Talk About When They Talk About Malware

Should a developer — contrary to our recommendation — elect to register themself with Google as a “verified” developer, they should expect to sign up for an account and pay a fee, surrender detailed personal information and upload government-issued identification, and then proceed to register the identifiers and signing keys for all the apps they intend to distribute (now or ever).

But the most diabolical stage is the compulsory agreement to the Android Developer Console Terms of Service. There are numerous causes for disquiet in this document, but the most concerning of all ought to be:

6.5 If You violate any of the Terms or if You distribute malware or other harmful applications, Google may terminate Your access to the ADC…

This reasonable-sounding clause begs the question: what exactly is meant by “malware”? No definition of the term is to be found anywhere in the document. With the absence of any formal definition, standard, or guideline, it implicitly states:

…and “malware” means whatever we say it means.

As we discussed in “What We Talk About When We Talk About Sideloading”, beware the dangers of allowing the terminology of debate to be defined by those who don’t have your best interests at heart. Malware being synonymous with “software we don’t like” means that they can unilaterally dictate — driven either by business incentives or by being compelled by a sufficiently powerful government — what the malware-du-jour definition is to be.

For precedent, personal content filtering in the form of “ad blockers” has long since been banned from the Play Store, and they have even classified some instances as malware. How long before they designate all ad-blocking software as malware, block installation on all Android certified devices worldwide, and permanently designate all developers of this class of software as malware creators? Such a move would certainly be aligned with their commercial incentives as the global ad-tech monopolist, and would be completely in accordance with the language of their ADC Terms and Conditions.

Like a Lead Balloon

In terms of voluntary developer uptake, they recently claimed that “over 99% of [Play developers’] apps have been registered” suggests that ADV is somehow a popular and widely-accepted dictate. That couldn’t be further from the truth: those 99% of developers were auto-opted-in without their informed consent due to being already bound by their Play Store agreements.

In fact, hundreds of thousands of people have signed a petition opposing ADV. The Open Letter at keepandroidopen.org denouncing the program has been signed by over 70 organizations around the world, including the EFF, FSF, FSFE, ACLU, and the inestimable Forbrukerrådet. Any internet search, chatbot query, or social media poll will confirm that the opposition to this program is overwhelming and the condemnation is universal. 90% of viewers of the developer roundtable video where they attempt to defend the program registered a dislike of the spectacle, and even Google Gemini responds to inquiries about the popularity of the program with:

Aside from Google itself, finding full-throated, enthusiastic support for the mandatory Android Developer Verification program in the tech community is virtually impossible.

The backlash is overwhelmingly dominant—headlined by the “Keep Android Open” coalition of civil rights and open-source groups fiercely opposing the central registration requirement.

And yet their lockdown blitzkrieg proceeds apace. Legislators and regulators have thus far been unreceptive to the outcry. Our own position as a bastion of software freedom and respect for user rights and privacy is in extreme jeopardy. The F-Droid model of security and trust through open-source transparency is fundamentally at odds with the “trust me bro” security model of the closed-source commercial app stores. And while these two models have been able to co-exist for the past 16 years of F-Droid’s existence, it appears that Google intends to establish a regime where they alone have a monopoly on the definitions of “security” and “trust”.

What to Expect in the Days to Come

We do not yet know the exact failure mode to expect when the ADV activation is triggered on September 30. If you are one of the 580 million people living in Brazil, Indonesia, Singapore, or Thailand, know that these are the first four targets of the ADV lockdown according to their published timeline (global rollout is ominously predicted to then occur throughout “2027 and beyond”).

There are many things we don’t know about what to expect on September 30. Some common questions that we do not yet have the answer to, for those in the afflicted regions, are:

  • What will happen if I try to install or launch the F-Droid app?
  • What will happen to all the apps I’ve installed through F-Droid? Will they be disabled? Deleted?
  • If apps that I rely on are suddenly disappeared, what happens to the data they contain? Can I still retrieve it?
  • With all software installations and launches now being reported back to Google for verification, what specific information does that telemetry include?

We have reached out to the malware vendor with our inquiries. In the coming weeks and months leading up to the lockdown, we will be publishing more guidance and support for those due to be impacted by ADV.

联系我们 contact @ memedata.com