(no title)

I don't know what kind of proof you want, but I just looked at my phone settings after reading your comment. The exposure notification option is there and it's off. The region selection is grayed out because of it. Yet I got the app (uninstalled it after I saw this on hacker news).

I did get a notification when it got installed but I thought it was just a push similar to amber alerts. I didn't realize it installed something at the time.

Still, exposure notification was never turned on.

I'm a MA resident and this app was on my (Android) phone...until a few minutes ago when I read about it on Hacker News, found it, and deleted it.

I have no memory of ever opting into the program you describe, and it isn't the type of thing I would normally do. It's possible I guess.

In any case, the way they did this is creepy. There was no icon for the app; I had to look in Settings/Apps & Notifications to find it. And neither the official state press releases nor the few local news stories about it mention that the app was installed without notice. They use vague, lawyerly language about how it can be "enabled".

There's even a standard for mobile operators to control the setting in your modem and update/install apps: https://en.wikipedia.org/wiki/OMA_Device_Management

I reverse engineered what this does in practice on pinephone modem (Quectel EG25G), for example, and there are pre-compiled binaries there for tmobile and vodafone that process their particular OMA DM flavors, download some configuration and code from internet and run it under root on the modem's SoC ARM CPU. (that's still isolated over USB from the main pinephone SoC, but obviously not good) It's also thankfully disabled by default, but if you google for oma dm android, you get reports of this protocol being used still.

Whatever it does on regular Android phone depends on how well it is implemented on android. Regular phones don't have two almost-isolated SoCs like pinephone, so oma dm client would probably run on the main SoC, and all depends on how secure that binary blob is or what it does/allows the operator to do.

Quectel software is a bit of a turd, so I woudln't take from this that operators can run random code they make the device download under root user, using this protocol. Most proprietary software like this is pretty shit, so I wouldn't feel warm and fuzzy safe on random Android device either.

I just went through the Exposure Notifications flow on Android, and selected a region where it's not currently available (Arkansas). It displayed a message saying it wasn't supported in my region, and left the setting disabled. While it's still possible that your theory is correct, I certainly don't think it's the intended flow as of now.

I have no memory of opting in, I checked under Settings -> Google and "COVID-19 Exposure Notifications" was set to "Off", and the MassNotify app was still installed on my phone. It has no icon and the only way to find it is going to Settings -> Apps & notifications -> See all apps and it comes up under "Massachusetts Department of Public Health". Then when you go to the Google Play Store and search "MassNotify" or "mass notify" or even "Massachusetts Department of Public Health" (the exact name of the app), it doesn't come up in the search results. You have to go to "Manage apps & device" on the Google Play Store then scroll down to "MassNotify" which doesn't even match the name of the app in the other settings menu. This is pretty shady.

I just found this app and removed it. And I definitely did not opt into any kind of covid tracking earlier.

This app seems to use Bluetooth to track potential violations of 6ft personal space and notify people if someone from that list later gets a covid positive test. Whatever the noble goal is I do not want it on my phone, this is creepy!

When you opt-in, does it notify you of all the permissions the app will require?

- view network connections

- pair with Bluetooth devices

- full network access

- run at startup

- prevent device from sleeping

I have no memory of opting in to this, but it was installed on my phone.

Updated to add: well I'll be, an hour after this comment and seeing the link show me that Mass Notification was installed, I was prompted to opt-in appropos of nothing.

Another MA resident here. Never opted in and it still shows I'm not. The app was silently installed on my Android. There's no icon so I thought it didn't install at first, until I looked at my app list in settings.

I'm curious to know if there's any MA Android users that previously removed Google Play, and if they still have the app or not. My guess is no?

This speculation is 100% wrong. I checked for this app after seeing this and had it listed under updates available (it was installed already)

So I decided to check if I was in fact opted in and I was not opted in. Everything was off and this app was still installed without my consent. I do have automatic UPDATES turned on, but that shouldn't tell Google to just push whatever they want to me. You should probably edit your post saying your speculation is wrong.

I don't know what kind of proof you want, but I 100% never opted in.

This is a great explanation for whats occurring. I'll be interested to see what comes of all of this.

So far what I guess is:

- This is likely a government action via telco and not something done via Google* (*Unless they've opted into a program like the one you stated)

- These phones being affected COULD BE all Carrier Locked phones which have specific terms to allow such behavior.

To me, this is pretty clear cut violation of Google's Device update policy and could be considered Malware or stalkerware (by their definition): https://support.google.com/googleplay/android-developer/answ...

https://support.google.com/googleplay/android-developer/answ...

-----

I think we should all slow down on putting Google for full blame here and focus on Government abuse and overstep of powers.

I can only speak for myself, but I checked my settings and the COVID-19 Exposure Notifications setting is set to "Off" and I still had this app pushed silently to my phone. What's even worse is there's no app icon for it on the device and it doesn't show up under your app list. I only knew it was on my device at all because I have auto updates turned off and it was in the queue waiting to be updated in the Play Store.

I never opted in, the setting for COVID notifications has always been OFF, and I still got the app silently installed on my Android phone.

I wasn't opted in. I have recently moved to Massachusetts, the app was probably installed during the last system update. I remember seeing a prompt after rebooting my phone to finish the update (this week, Pixel 3a) to enable contact tracing. I said no, but obviously the app had already been installed automatically, and apparently stayed.

To clarify: It's in your Google Account settings, not a separately broken-out setting that you see when you first bring up your phone settings, or at least it's that way on my phone.

You can be concerned by reading the top comment on this HN thread.