Google appears to have silently installed the Massachusetts COVID-19 contact tracing app onto users' smartphones. The "MassNotify" app was found to have been automatically installed onto users' devices and has no application icon on the home screen or searchable Play Store listing. While some theorized that it was installed automatically on devices that had turned on Android Exposure Notifications, a number of users have reported that they did not enable that feature and that the app was still installed onto their smartphone.
MassNotify's Help Desk was contacted by a YCombinator's Hacker News reader (via Bleeping Computer), and they told the person that the installation of the app does not mean that the app is active or running in the background.
"The appearance of MassNotify in the app list does not mean that MassNotify is enabled on your phone. The presence of the app merely means that MassNotify has been made available as an option in your phone's settings if you wish to enable it. For more information about this, please see this help center article from Google: https://support.google.com/android/answer/10775533. You can see whether MassNotify is active by going to Settings -> Google -> COVID-19 Exposure Notifications. The “Use Exposure Notifications” toggle at the top of the page will show you whether MassNotify is active or not. From this screen, you can also enable or disable MassNotify at any time."
Users report that the app was not easy to uninstall unless they could find the Play Store listing through the app's package name. Many users first discovered they even had the app installed when they were prompted to update it. The reviews for the app are currently filled with users saying that the app had been installed onto their smartphones without their consent and that the app could not be easily uninstalled.
MassNotify is the official state of Massachusetts' app that uses the Exposure Notifications API to detect when you are considered a "close contact" of another person who self-reported a positive COVID-19 diagnosis. The API works cross-platform between Android and iOS and has been deployed and used successfully in some countries worldwide. However, an app should still not be installed without the consent of the device owner, particularly not one that collects device data. It sets a bad precedent for Google to force the installation of apps on devices, even if there is no malintent and the data is anonymous.
Bleeping Computer reached out to Google to ask a number of questions about MassNotify, and received the following response:
"We have been working with the Massachusetts Department of Public Health to allow users to activate the Exposure Notifications System directly from their Android phone settings. This functionality is built into the device settings and is automatically distributed by the Google Play Store, so users don't have to download a separate app. COVID-19 Exposure Notifications are enabled only if a user proactively turns it on. Users decide whether to enable this functionality and whether to share information through the system to help warn others of possible exposure."