Android app validation process - Risks considering the installation of apps

yellow-leaves

I've been trying to wrap my head around the android app installation process for a while now.
This is what i think i know about the process of installing apps in android.
What do you think, did i get it right?
Did i miss something?
Insert your thoughts please.

On install of a new app android trusts it and its public key without question as long as there isn't another app with the same package name ex.
"id=org.thoughtcrime.securesms"
When upgrading an app with the same package name ex. "id=org.thoughtcrime.securesms" android checks the public key of the apk and as long as it matches the previously known and trusted key android permits the upgrade.

Caveats

The package name is not the same as the app nicknames as seen in the app drawer.
examples
"id=org.thoughtcrime.securesms" is currently known as signal in the app drawer.
"id=im.vector.app" is currently known as Element
Nicknames are not unique, multiple apps can have the same nickname and icon.
Example
app.grapheneos.camera is nicknamed "Camera" in the app drawer just as well as com.google.android.GoogleCamera also has the same nickname "Camera".

In short, apps can impostor other apps without invoking any sort of error from the android system as long as the they use a different package name compared to the original app.

DeletedUser115

yellow-leaves In short, apps can impostor other apps without invoking any sort of error from the android system as long as the they use a different package name compared to the original app.

Correct. However to install an app with different package name, user needs to take an action like granting other app a permission to install apps.

I am curious what permission is required for unattended app installs and updates? For example like GOS "Apps" app can update apps without asking user permission every time. Does it only work for updates and not installing new apps?

[deleted]

DeletedUser115 GOS "Apps" app can update apps without asking user permission every time. Does it only work for updates and not installing new apps?

Well the 'Apps' app on GrapheneOS has the privileged permission called android.permission.INSTALL_PACKAGES, Which allows apps to automatically Install and update apps in the background without user interaction/consent. The 'Apps' app won't install random apps without your consent though, but It might auto-update already installed apps on your device (Maybe it depends on user configuration).

newbie24689

[deleted]
How does one determine which apps have that permission?

[deleted]

newbie24689 Decompile the app and check its manifest, or use an app like Package Manager to check permissions, including privileged ones of any app without decompiling stuff.