A few days ago some users of certain Samsung Galaxy devices began to notice that within the pending updates in the Play Store (that name still feels wrong), was a strange app that they had not installed and the description of which was entirely in Russian. The application was entitled МТС Мобильная Почта, and has since been removed. What’s more, users were unable to actually find this app on their device to uninstall it. Understandably those affected were somewhat concerned about this, fearing that they had fallen victim to some kind of malware. Thankfully it wasn’t, and the MTC application itself is nothing more than an E Mail client for Russia’s Mobile Telecom Systems published by the developers OJSC.
Shortly after the issue was reported, it was discovered that uninstalling certain Samsung specific apps would prevent this MTC application from being listed under “My Apps” or the pending updates.
As identified by the nice folks at The Verge, it turns out that the E Mail application included in stock Samsung firmwares was given the “unique” application name com.seven.Z7—the same unique name as the MTC app. Apparently Seven, who used to develop E Mail services for WinMo but now offer their applications as white labels to third parties, made the mistake of giving the two applications the same name and certificate, thereby confusing the Play Store. Obviously the Samsung Mail client was not listed on Google Play, whereas the MTC app was. This caused many users to see this fictitious update for an app they did not have installed.
Anyone who was affected by this issue should already have seen it resolve itself thanks to action taken by Google, however if for any reason you are still seeing this app then the simplest solution seems to be simply clearing the Google Play’s cache and/or data. There is no longer any need to remove your Samsung specific applications, as the root of the issue is now resolved.
This does of course bring to light a possible hole in the security of the Play Store. Although this has happened before, it was not on such a large or widely reported scale. I would certainly imagine that Google will be looking to make some adjustments and make sure that this kind of error is no longer possible. Although reproducing it with malicious intent would not be easy, as the same unique app identifier and matching certificate would be required. And to be fair to Google, considering that the Samsung Mail client was not actually listed on the Play Store, technically there was no duplication of the unique ID that they could have been aware of. It still seems that there’s room for improvement here though, as Google’s rather lax policy of app screening has repeatedly come under close scrutiny. While they are not at fault here, that wouldn’t really matter if this were a malicious app rather than a simple mix up._________
Join us for xda:devcon 2014. For a limited time, XDA Portal readers get 20% off registration!