Privacy @lemmy.ml Harry_Houdini @lemmy.dbzer0.com 1y ago

Today I got this POP-UP, anyone?

Originally I've download the signal app through playstore, but often it also get updates from Droid-ify(Fdroid client). Today its weird and I got this . Explain to me this.

On the Droid-ify the signal app is provided by: org.thoughtcrimes.securesms

78 comments

~~The package name is correct~~, but signal was never on F-droid.

Do you have a third party repo that might be compromised?

Edit: Package name isn't correct, so that's almost definitely a compromised version. Get rid of it ASAP.
- To add to that:
  
  Always check the projects' website to see the official ways it's distributed, before you just download it from anywhere.
  
  Not applying for signal though, as their apk site is hidden away
- org.thoughtcrimes.securesms
  
  It actually might not be, googling "org.thoughtcrimes.securesms" doesn't get results.
  
  thoughtcrimes vs. thoughtcrime
  
  My question though is how this popped up in droidify, would someone need to manually add some special repo?
  
  I missed that, thanks for pointing it out. The one without S is the correct one.
  
  But that makes me wonder, how did OP not end up with two signal apps then?
  
  Yes, where is that from? Its not in the repos I use.
- Twinhelix is the only one compiling the app from source without proprietary blobs
  
  And molly.im
Google is actually right here for once. Signal is not offered on F-Droid, and its package name is org.thoughtcrime.securesms, not org.thoughtcrimes.securesms.

Only official places to download Signal are through the Google Play Store or their website (which self-updates).
I recommend checking the official website or the Play Store to ensure that you are downloading the latest and official version of the app.
- https://www.signal.org/download/android/
  
  The official website only links to Google Play for the Android client, even on the fairly "hidden" download page.
  
  They hide it away, thats the tricky part
  
  https://signal.org/android/apk/
  
  Below the Playstore link
  
  If the official website redirects you to the Play Store, then it is safe to download the app from there.
  
  And to be noted, I don't think that the Android app client for Signal is available on F-Droid.
From which (enabled) repository does the app come. Signal is not on F-Droid or Izzydroid.
- I don't know about OP, but it is available in https://thecapslock.gitlab.io/fdroid-patched-apps/fdroid/repo and https://calyxos.gitlab.io/calyx-fdroid-repo/fdroid/repo
  
  Yes, I heard that it is in the CalyxOS repo. This seems to be a legit version.
- It is but in a different repo
"This app tries to spy on your personal data"

Needless to say Google hates competition
- They hate the competition.
- Pretty rich coming from google
- Google is like your big brother. They will beat the shit out of you. But If anyone else tries to beat you they will kick their ass.
- they obviously want all the data to themselves
org.thoughtcrimes.securesms specifically?
I may be wrong but isn't the real one org.thoughtcrime.securesms, not "crimes"?
what i get from the playstore. i notice thoughtcrime vs thoughtcrimes fyi
- I think it was a typo. I checked the droidfy (fdroid) version and
It's a fake copy of Signal

The actual package name is org.thoughtcrime.securesms, not org.thoughtcrimes.securesms

Also Google officially recommends Signal on the Android website last I checked, so I don't see why Play Protect would flag it as malware

edit: attach screenshot of package name

edit 2: fix typo in package name (accidentally typed thoughcrime)
- Thanks mate
I'm on the apk from the signal website. This showed up for me as well.
I'll just drop this here

https://molly.im/
- What is the benefit of using this instead of Signal?
  
  You get to convince your peers once more to use a different app.
  
  It's named after a rave drug.
  
  Android tablets as linked devices is why I use it. Something Signal seems to refuse to add.
  
  Fully foss dependencies, degoogled (doesnt require Google Play services), and further hardening to the app. And you can still keep your signal contacts since it is just a fork. Available through Accressant, fdroid, and github.
  
  It has an official F-droid repo.
  
  Also it may work as a temporary solution for those who are having signal troubles
Maybe a botched version and goolag was triggered. On the safe side get rid of it.

Check the repo where it was downloaded.
Use molly.Im. They have a repository for F-droid.
Got something similar yesterday, but for KDE-Connect from F-Droid. Downloaded the Play Store version instead.
- Either it got compromised or Google is warning you because it has a different signature than the Google play version
Are you installing from Playstore or FDroid?
org.thoughtcrime.securesms and I get mine from neo store /fdroid
KDEconnect from FDroid also go similar warnings. Might be related or OPs app might really be fake. https://twitter.com/albertvaka/status/1712954968477401478
Yes. I had it too!

And I download directly from the website and it aelf-updates. Nothing but an annoyance.

On the Droid-ify the signal app is provided by: org.thoughtcrimes.securesms

That's Signal.
- "Thoughtcrime" shouldnt be plural at least its not on my version and for other posters on this thread
  
  Didn't spot that. Mine is singular...
Just get a degoogled phone...
- I generally agree, but in this case, Google Protect actually protected OP from installing a harmful app masquerading as Signal.
  
  Sure? Why can people upload apps called signal there?
- me poor
  
  Degoogle your existsing device
Turn off Play "Protect".
- In most cases I'd be the first to support your idea.
  
  but here it actually blocked malware?
  
  Didn't notice the "droid-ify" part, whatever that is. Install apps from trusted sources like F-Droid or dev's website and you don't need Google to scan your phone and tell you what you can or cannot install.
- Don't, in this case it's actually blocking a fake app correctly.

78 comments