This is possibly tied to the recent assault on the ZXing Barcode scanner app[1].
This is a legit open source app that's been recently flooded by 1-star reviews claiming that the app contains malware, probably in order to get users to switch to the other apps.
The funny thing is this app has not been updated since 2019 on the Play Store, so those reviews are clearly bogus.
It takes a special kind of scum to slander an open source project in order to push malware.
The ZXing Barcode Scanner (which is the "official barcode/QR code scanner for Android, as far as _I_ am concerned) is also available on f-droid.org. There's no absolute guarantee that F-Droid apps are malware-free but they have at least been looked at by a competent team of humans, something that is not true of the Play Store.
Does F-Droid compile the binaries themselves? Or do they just take a look at my github and then trust the .apk I build myself and send them?
I mean, I could very well make an open source app and then load some malware in the apk in addition to the well behaved thing... Are they immune from this attack?
"Apps" and "algorithms" seem to be driving literally everything about society now. I don't think this is a good thing, nor do I see the trend reversing. These giant black boxes now control the levers of modern society, and the companies that own them get to hide behind their "terms of service" to avoid any responsibility for the damage being done.
Every significant review system is being gamed to the point of being unusable, and yet stories about not being able to trust them keep being reported as if this were somehow noteworthy. For every one of these stories that rises to a thread on HN, how many other small time vendors are getting screwed by someone who is willing to pay a room full of people in some 3rd-world country to debase their competitor's online presence?
The platforms these companies provide have been so useful and successful that they have both become oligopolies and are a big part of how society operates nowadays. Think like electrical grid or roads.
But it's still not stabilized, society has not yet found out how to deal with all this.
It's like when there were no speed limits for cars or standard signage. There was more freedom but it was way more dangerous and unpredictable and also as a result, not yet as useful as it could be.
It's not necessarily anybody's fault. A company like Google maybe sees itself as a company but it's way past that. It really provides quite essential platforms for people, families, cities, you name it. And also the platform for content creators and developers and businesses.
Many of these don't have a proper contract with the platform. It doesn't scale to have lawyers to be involved in every point to point dealing either.
My assumption is that there is going to be maturation of these platforms, common rules and terms. Governments and WTO could be involved.
I knew nothing of ZXing Barcode Scanner other than it was super simple and "just works." Nice to know that it's open source! I've been happily using on all my android phones since I started with the HTC Dream so many years ago.
This review fraud has got way out of hand. Right now, it would be better to remove reviews entirely and for consumers to make a decision based on the product page alone. The consumer trust in reviews is at such a low that it’s adding friction to purchase decisions and starving honest businesses from being able to invest in quality products.
One solution might be to only publish reviews/ratings from accounts with a minimum spend threshold and unique active payment details. This would effectively price out the scammers.
The sheer scale of situations where the top review is negative describes something that ... is not a bug, is actually supposed to be that way, is how the dang app works by design for good reason ... is bonkers.
It seems like reviews are driven by people who don't know, and respond reviews by to people who don't know who describe what sounds like fundamentally broken things... so they give it a thumbs up and they're both completely ignorant.
The volume of people who do know the app and would see / write a review seems like it is MUCH smaller.
I had a game app update recently. I went to update it (one of the few times I go directly to the play store app). There at the top is a review that described how they saw opposing players "just disappear" during the game and raged about that 'bug'. But it's not a bug the game has some fog of war and view distance type mechanic. It's entirely expected / appropriate.... but there it is the top review.
> It seems like reviews are driven by people who don't know, and respond reviews by to people who don't know who describe what sounds like fundamentally broken things... so they give it a thumbs up and they're both completely ignorant
Heh. One of Google's featured reviews for ZXing is a one star review from someone who said they started getting popup ads, and looked up the issue on a web forum which said it was ZXing's fault. It has 30+ thumbs up.
To mangle the phrase about politicians: The type of person who feels compelled to leave a review is probably the type of person who should not leave a review.
I've left online reviews a total of maybe 5 times ever. It was only ever to help very small businesses with very few reviews who gave me an exceptional and unexpected result in one way or another.
Fake reviews are not that hard to spot. Why don't we focus on educating people on how to evaluate what they read, and making informed decisions, rather than taking information (even if misinformation) away from them? It would help with fake news as well.
This statement seems very suspect to confirmation bias. How would you get to know if what you think is genuine was actually fake? This part of feedback loop is completely missing, and hence I find your above statement hard to believe.
Most people don’t read many reviews though. Just the ‘most helpful’ and the review tally. Worse, the store search results pages use the review scores to rank apps too.
Yeah, be careful doing anything like that on the Play Store. You can get your account randomly locked out with no explanation (I haven't been able to review apps, leave comments or contact the developer for like 3 years, and I never got an email or notice about this)
I have the same problem - paying Google customer, so I'm not allowed to leave ratings or reviews on Google's app store. Support's ignored my requests on this.
It’s doubtful that any AI is involved, but I wouldn’t be surprised if Google have an algorithm that decides thay X number of negative reviews must be spam, without considering the quality and correctness of the review.
These app stores are a terrible software distribution model. Every day we hear about another reason they harm users far more than community maintained repositories and only protect the interests of the OS vendor.
App stores are no more terrible than the previous software distribution model where you Google the name of the software you want to install, find some site that "mirrors" the download, realize they've repackaged the original app with extra ads and toolbars, keep searching, find the official download link, scroll past all the misleading ads containing download buttons, download the package, and then hope the download runs on your machine.
Anybody complaining about app stores has forgotten how bad the alternatives are. And community-maintained repositories aren't a solution, that's just the app store model but on a smaller scale so it's less of a Target for bad actors. If ubuntu's universe repo had to suffer the same amount of abuse as the play store does, it would crumble in a day.
> And community-maintained repositories aren't a solution, that's just the app store model but on a smaller scale so it's less of a Target for bad actors. If ubuntu's universe repo had to suffer the same amount of abuse as the play store does, it would crumble in a day.
I disagree strongly.
Most community supported Linux distributions have fairly arduous processes by which members of the community become trusted users / MOTUs / etc. It is not simply a matter of deciding to upload something, creating an account, and clicking a button. To deliberately upload a malicious package into Universe (or similar repos in other distributions), you would have to methodically worm your way into a community over time, participating on IRC, helping contribute innocuous changes to other packages, training new users, and so on. You'd then have to apply for the ability to upload, having demonstrated both skill and the ability to work with other members of the community, as well as the need for permission to upload a specific package. This process would take months or years.
And then, you'd have to keep any changes you made pretty cleverly hidden. Anything obviously phoning home or popping up full screen ads would instantly blow your cover, wasting the whole effort you put into it. It's simply not worth it. And that's before you realize how extensively open source the build pipelines for most distributions tend to be. (I can - and have - examined the actual build process used by multiple Arch Linux packages.)
This is completely incomparable to the process for uploading to Google Play. At best you're going to have to pass some automated checks. But it's an ecosystem built around closed-source (so no peer review) software, quasi-anonymous developers, and software funded by advertising. It's infinitely easier to sneak something into an app store, get a bunch of users, and get away with it (temporarily) than it is to put malware in the repositories of a modern Linux distribution.
>you would have to methodically worm your way into a community over time, participating on IRC, helping contribute innocuous changes to other packages, training new users, and so on. You'd then have to apply for the ability to upload, having demonstrated both skill and the ability to work with other members of the community, as well as the need for permission to upload a specific package. This process would take months or years.
sure. or you find somebody who's already done that and pay them some money.
And then, even if they're tempted by the large amount of money, they probably get caught pretty quickly and get banned. Again, even if you can use another person's account to reputation launder, it's still a very transparent platform that's hard to pull stuff like this on.
The usual process for this with mobile apps is not to pay someone a lot of money to ship malware, but rather to buy the person's account, app, and the source code outright. This has the advantage of not having to be explicit about what you're up to, gives the original developer plausible deniability, and gives you way more control. Plus it makes reputation laundering way easier and since the app is still closed source you can make any changes you want without anyone being the wiser.
All of this is completely different from how community supported repositories are run.
Would you call it the "previous" software distribution model? I still Google software for Mac and Windows, but I can't remember the last time i had to use a dodgy mirror site. Storage and bandwidth are cheap and plentiful now, most everything has an official source.
i call it "previous" because windows and mac both have actual app stores now, even if many developers shun the app stores and still encourage people to find their software by searching for it on google.
It really is pathetic. Looks more mafia-like every day - they grab control of a choke point, ensuring they get their vig, but otherwise show no interest in providing real security.
Yeah, people from areas that used to be run by the mob often say they ran things better than the government did. Mobs require some form of community support to operate from what I understand.
The "real" government is really just another mob anyway. Pay your [protection money/taxes] or get your shop [busted up/shut down] and have other bad things happen to you.
Gotta love that those bogus 1-star reviews stay up, but Google instantly came to the rescue of Robinhood when it was getting flooded by 1-star reviews that had an actual legitimate basis.
FWIW the updated date doesn't necessarily mean anything, the app could be loading code remotely via some endpoint which the article does mention as a possibility in general.
TL;DR someone apparently cloned ZXing Barcode Scanner, added annoying ads, uploaded it to the Play Store with the same name. Soon enough the malicious clone got taken down. Legitimately pissed off people who installed the malicious clone are leaving angry reviews for the non-malicious original (presumably because the malicious clone is gone from the Play Store).
Don't assume malice when it can be explained by stupidity; it is probably a confusion as there are many apps with very similar names and in the phone the publisher is usually not listed (I checked mine), so people with the malware app gave reviews to other apps.
This is a legit open source app that's been recently flooded by 1-star reviews claiming that the app contains malware, probably in order to get users to switch to the other apps. The funny thing is this app has not been updated since 2019 on the Play Store, so those reviews are clearly bogus.
It takes a special kind of scum to slander an open source project in order to push malware.
[1]: https://play.google.com/store/apps/details?id=com.google.zxi...