Uninstall harmful app?

MoonshineMidnight

So I turned on my GOS 6a (set to turn off every 8 hours so I can do verified boot). I am running sandboxed Google Play for push notifications for Proton Mail and Signal. I do not have a lot of apps on my phone and every one is FOSS downloaded direct from GitHub. Zero Google except the sandboxed Google suite that comes with GOS for push.

When I turned on the phone there was a drop-down notification from Google Play to uninstall a harmful call blocker app - something I have never installed. It then said "click here" on the drop-down. Needless to say I did not click and swiped to remove the drop-down message.

I have a full-blown stock Android with a ton of Google apps from Google Play and never got something like this on that phone. I really don't see how this could happen outside of one of my GitHub FOSS apps being malicious. I get a little squirrely with stuff like this as I am a vocal activist with local government and police (thus the GOS phone so they can't harvest my info from Google) and they know the phone number of the phone. Any thoughts/suggestions on how this happened otherwise?

raccoondad

MoonshineMidnight It's hard to say without more details, however I would check your apps just to make sure.

If you are in a dangerous situation, consider backing up and factory resetting, that will wipe anything malicious

MoonshineMidnight

OK, in my main app tray I did find an old FOSS call blocker so that is probably it. Sorry for the mistake. However, I did a search for this app and apparently a lot of people not using GOS but stock Android get a warning from Google Play Protect that it is malicious when it is not. So my concern is it appears the sandboxed Google suite I am using for push notifications is using Google Play Protect to scan my apps. Is this to be expected and what info overall is the sandboxed Google suite gathering from my apps? I have never signed-in to Google on GOS, but can the sandboxed Google suite glean my phone number and link it to what apps I have from GitHub?

raccoondad

MoonshineMidnight I'm fairly sure android apps can view installed applications and interact with them,

If you are in a government based threat, I would NOT recommend having google play services...or put it in another user at least

Blastoidea

Stay away from Google.

In your situation, as you have described it, you do not “need” any Google.

MoonshineMidnight

I understand the advice, but then what is the point of a "sandboxed" Google suite on GOS? Does not seem very sandboxed to me.

Eirikr70

MoonshineMidnight Since you say you use Sandboxed Google Play only for the notifications, you might check if the apps you want the notifications from are supported by UnifiedPush. In this case, you might uninstall Google Play.

Carlos-Anso

blackpill I would guess that it has what Android considers to be a "normal" app permission in its manifest called QUERY_ALL_PACKAGES. So it would be able to see the app and all other apps that are installed

This "normal" app permission is not necessary for apps to get a list of all the other apps installed in the same user profile. Unfortunately many of the "normal" app permissions, that users can not toggle, are named or function in a way that is often confusing to users. The user facing permissions, that users can toggle, are named and function in a way that users would expect.

MoonshineMidnight Does not seem very sandboxed to me.

Sanboxed Google Play is contained and has the same privileges as any other app it cant do anything else. Normally Google Play is highly privileged
https://grapheneos.org/features#sandboxed-google-play

blackpill

I'm still re-acclimating to the Android runtime and I haven't inspected the manifest of Google Play (I also don't use it), but I would guess that it has what Android considers to be a "normal" app permission in its manifest called QUERY_ALL_PACKAGES. So it would be able to see the app and all other apps that are installed, and if they have that app in their database flagged as malicious, it would trigger that prompt. That doesn't imply that app data is compromised.

https://developer.android.com/reference/kotlin/android/Manifest.permission#query_all_packages

missing-root

Also sandboxed apps can display notifications (now with permission for whatever reason) and install apps (also with permission)