Governance Risk Compliance

Taino's Blog

Thanks Facebook for creating a new malware channel
By Taino


Facebook Application Update bypassing the Google Play storeFacebook has created a very bad precedent:  A popular application creating an alternate channel for updates.

Installed by at least 6,387,292 users, Facebook, a Facebook - Play Store Top Developer Top Developer in the Google Play store has created an update process for a legitimate application that forces the user to go through a deeply flawed process without any obvious way of bypassing the upgrade.

Dramatically, the only options are to Install, Retry, or Uninstall the application. The uninstall function is unthinkable to most users nowadays as Facebook is their constant link to their world.

 Facebook application update explanation

While pressing the “Back” button on the phone or tablet immediately brings up the old “unsupported” application, this is probably going to stop working in the future.

As of today, Facebook has provided no real explanation as to why this update is necessary. In addition, they have not provided a technical reason as to why they want to bypass the Play store update procedures. However, speculation abounds. Ours is that they want to take control of their update process as opposed to leaving the update in the hands of the users’ option of “Allow automatic updating” setting in the Play store. This also probably bypasses the “Download over WiFi Only” and of course the time schedules for updates set by the users, carriers and Google.

Of course, this also bypasses Google’s Bouncer which has turned out to be of limited effectiveness in identifying and stopping malware. Our take is that a layer of security is better than none.

We have gotten reports of several users batteries being depleted trying to unsuccessfully download the upgrade. Our experience so far is that the update does not download on two of the latest versions of Android.

In the end, the most egregious issue is that this might be the largest install of a legitimate application bypassing the established and accepted update channel. Of course this is not the first nor the last, but since the “Big Boys” are doing it, validation for the rest now exists.

Good luck to the users wanting to authenticate updates from now on. We wonder what new over schemes will crop up after this. The first one will probably be the fake Facebook application update.