Cryptographers around the world are still designing privacy-preserving contact tracing systems for combating the spread of COVID-19.
Even though some papers have been published (one using zero-knowledge proofs, another based on blockchain (sigh)), the ink is still very wet. The first framework designed by Apple and Google needs work but was surprisingly not god-awful.
That is to say: As of 2020-05-08, there is currently no implementation of privacy-preserving contact tracing available to the world. It might be coming soon, but it ain’t here yet.
But a quick search through the Google Play Store would surely lead you to believe otherwise.
The first thing that leaps out is that there are two advertisements for things that are mostly irrelevant to contact tracing. Since “contact tracing” is a hot topic (and will only become increasingly hot when the real apps are ready to be deployed), it’s clear that there’s a profit incentive at work.
But with a little further study, we can see that this profit motive persists as we look down the list.
The first one (an app named simply “Contact Tracing”) was first published in March 2020, so it was clearly created to capitalize on the pandemic.
The source code for their app (which was written in Cordova, and thus didn’t even require any effort reverse-engineering) contains a lot of references to a product named “Crypto Account Manager” by the same company.
Ah yes, Cryptocurrency! That’s exactly what an Android user wanted when they search for “contact tracing”.
This is exactly the kind of disingenuous behavior you expect from the sorts of bottom-feeders that would capitalize on a pandemic for profit.
Worth noting: The CDC app at the bottom was legitimate, but their development team is clearly having a tough time.
There’s probably a lot more to be found (if anyone wants to take the time). You might even find actual Android malware. (As far as I can tell, these apps are only trying to exploit humans, not machines, so I cannot classify them as malware.)
But what you won’t find is a privacy-preserving contact tracing app, so don’t look for it just yet.
Want to know when one is available? Follow me on Twitter for updates: @SoatokDhole.
Which Apps Aren’t Fraudulent?
The CDC app, which was originally created for Tuberculosis contact tracing, is legitimate (but not privacy-preserving in the way that cryptographers care about).
The TraceTogether app is the contact tracing app produced by the Singapore government.
The Takeaway
Just because it’s in the Google Play Store doesn’t mean it’s authentic or trustworthy. This should be common knowledge, but it never hurts to remind everyone.
That being said, I really wish Google would police its app store better.
I also wish they would forbid advertisements relating to national or global emergencies; i.e. COVID-19.
2 replies on “Fraudulent Apps on the Google Play Store: COVID-19 Contact Tracing Edition”
[…] May, I discovered some fraudulent “COVID-19 contact tracing” apps on the Google Play store which all appear to have since been taken down, then proceeded to teach the furry fandom how to […]
[…] the apps I discussed last year, Safer Illinois isn’t a fake contact tracing app. It’s the real […]