MassNotify got MassInstalled —

Even creepier COVID tracking: Google silently pushed app to users’ phones [Updated]

Massachusetts launched a COVID tracking app, and uh, it was automatically installed?!

Even creepier COVID tracking: Google silently pushed app to users’ phones [Updated]

Over the weekend, Google and the state of Massachusetts managed to make creepy COVID tracking apps even creepier by automatically installing them on people's Android phones. Numerous reports on Reddit, Hacker News, and in-app reviews claim that "MassNotify," Massachusetts' COVID tracking app, silently installed on their Android device without user consent.

Google gave the following statement to 9to5Google, and the company does not deny silently installing an app.

We have been working with the Massachusetts Department of Public Health to allow users to activate the Exposure Notifications System directly from their Android phone settings. This functionality is built into the device settings and is automatically distributed by the Google Play Store, so users don’t have to download a separate app. COVID-19 Exposure Notifications are enabled only if a user proactively turns it on. Users decide whether to enable this functionality and whether to share information through the system to help warn others of possible exposure.

Google's statement doesn't really address the issue of auto-installing an app without asking. The "functionality" of COVID exposure-tracking apps are built into Google Play Services as an API that government apps can use for their tracking initiatives and can be "automatically distributed by the Google Play Store."

That's still not the "MassNotify" app, though. Just like every other state and national COVID app, MassNotify provides users with an interface to report COVID exposure and view health statistics for their local population. If all of these users accidentally opted-in to COVID tracking and forgot, we'd expect a statement from Google to outright deny an automatic app rollout. Google's statement does not deny the silent install, though, and instead only says COVID tracking is not enabled unless users turn it on.

COVID tracking apps were Big Tech's answer to the pandemic, with Google and Apple both building a contact-tracing platform into their mobile operating systems. The idea is that if you opt-in, your phone's Bluetooth can scan for other opted-in devices and keep a list of who you've been in contact with. If one of those people gets COVID and notifies the app, the tracking system will alert everyone it has logged lately, letting them know that they might have been exposed. Rather than run a worldwide tracking system themselves, Google and Apple only created a system API and app templates for governmental health organizations to use. In the US, this has meant every state needs to build a COVID app.

MassNotify's reviews. Users love silently installed apps.
MassNotify's reviews. Users love silently installed apps.
Google

Google and Massachusetts' rollout of the app certainly seems sloppy. There are two versions of the "MassNotify" app on the Play Store. One version does not seem to have been silently installed, has only 1,000+ installs, and boasts a rating of 4.1 stars (out of 5). A second version—labeled "v3" in the package name—has been slammed with negative reviews (1.1 stars as of publish time) with users alleging it was automatically installed on devices; some users even questioned if the app was malware. Both apps are listed under the "MA Department of Public Health" developer account, which—uh—does not exist? The link for the developer just 404s, which really does not inspire confidence in the app's legitimacy.

Two apps are confusing

Update 4:20 pm EDT: A bit more about the two apps. Thanks to Abner Li from 9to5Google for pointing out that the screenshots in the Play Store are wrong and that the auto-installed version of MassNotify does not actually have app icon or a public health statistics UI. It only lives in Settings -> Google -> COVID-19 Exposure Notifications, where you can turn on tracking and report that you have COVID. (How will any normal person find this if it's buried in the system settings?) This means Google's statement makes a bit more sense now when it talks about "functionality built into the settings" and if you're defining a "separate app" as "a thing that has an app icon."

With no app icon, the easiest way to see if MassNotify auto-installed itself on your device is to click on this Play Store link and see if the install button is past tense ("Installed" versus "Install"). With no app icon, the auto-installed version of MassNotify will only show up in the app info system settings, and even then, if you want to uninstall it, it's not called "MassNotify." Instead, it is vaguely called "Massachusetts Department of Heath."

The version of MassNotify that is not auto-installed is a full COVID app, with a statistics UI and an app icon. This definitely increases the likelihood that someone with COVID will actually be able to find the app and report that they have COVID. The only problem is that Massachusetts does not actually link to this version on its website.

Did Google roll this out to every Massachusetts device?

Original story resumes: Massachusetts took forever to launch its COVID app, with MassNotify only launching last week, months behind other states and at a time when most responsible people are vaccinated. Despite this, incredibly, the "v3" MassNotify app has over a million installs! The Play Store only shows install numbers in tiers, so the "1,000,000+" label on MassNotify means "More than 1 million and less than 5 million," which is the next tier up. Massachusetts only has 6.8 million residents. The US smartphone install base would put Android at around 50 percent of users. Smartphone penetration is not at 100 percent of the population. If you automatically installed MassNotify on every Android device in Massachusetts, you won't hit five million devices, so that "1,000,000+" label is practically the cap. Did they roll this out to every device in Massachusetts?

With COVID vaccines readily available and mask mandates in the state lifting last month, it's hard to imagine Massachusetts residents were so enthusiastic about the new COVID tracking app that all those people willfully installed the app. MassNotify is now the most popular COVID tracking app on the Play Store. The COVID apps for California and New York, which both have at least a six-month head start on MassNotify, only have 500,000+ installs each.

If you're wondering "Can Google really install apps to an Android device without user input?" the answer is "Can they ever!" Push installs are actually the only way Google Play installs apps. When you open up the Play Store and press the install button, you're actually requesting that Google push you an app install over Firebase Cloud Messaging. Users can actually view this in action themselves by remote-installing an app from the Google Play website on a desktop computer. Nobody has to be in front of your Android phone to grant administrative privileges to anything—the app just installs because Google has a 24/7 line of access to your device. The really "fun" part is that Google can also remote uninstall apps from your phone without interaction, allowing the company to remotely nuke malware if things ever get really bad.

Last year when this whole COVID tracking app idea was being kicked around, one poll found that half of Americans don't trust these COVID tracking apps with their privacy. Decisions like this are not helping.

Channel Ars Technica