Authenticate com.android.vending is a playstore .apk signed by Google

[kpcyrd]

When scanning a phone there used to be a long list of findings like this (and still is on the latest release binary):

high: Package "com.google.android.apps.maps" was manually installed by an unknown installer: "com.android.vending"

Since this ID belongs to the google play store this findings was muted to keep the signal:noise ratio of findings high (since their store is moderated and connected to play protect):

spytrap-adb/src/package.rs

Lines 53 to 73 in 9891d49

	match self.installer_package_name() {
	Some("com.android.vending") => {
	// TODO: authenticate this application is a legitimate google play store .apk
	}
	Some("com.android.packageinstaller") => {
	sus.push(Suspicion {
	level: SuspicionLevel::High,
	description: format!("Package {:?} was manually installed", self.id),
	});
	}
	Some(installer) => {
	sus.push(Suspicion {
	level: SuspicionLevel::High,
	description: format!(
	"Package {:?} was manually installed by an unknown installer: {:?}",
	self.id, installer
	),
	});
	}
	None => (),
	}

There should be a step that verifies the signature of the apk with this ID was actually signed by google.

I currently do not have an .apk to test with, the phone I have for testing has MicroG installed (which apparently registers an unsigned .apk to this ID). If somebody has a copy of a google signed playstore apk, feel free to attach it to this issue in a comment (github allows attaching files).

To pull the apk:

1. Run adb shell pm list packages -f com.android.vending
2. Run adb pull ... with the path it prints in the previous command

I can probably get access to another phone (with everything stock) after next week.

[Te-k]

They are split on my test phone:

ls com.android.vending_*
com.android.vending_base.apk                      com.android.vending_split_config.en.apk
com.android.vending_split_config.armeabi_v7a.apk  com.android.vending_split_config.fr.apk

Here is the base one : https://lufi.ethibox.fr/r/TKfVeXyw9w#CgNZPELa2gSsZBnTSrWgxlIPqOSDlqxgxL55a2Y1ano= (I don't think you can attach APKs on github)

[kpcyrd]

Thanks for the sample!

It seems I've been using the wrong commands, I found this stackoverflow thread and was using

% jarsigner -verify -verbose -certs com.android.vending_base.apk

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

no manifest.

jar is unsigned.

Instead, using apksigcopier I was able to extract something that seems related to signing, it also seems the assumption I posted about microg earlier was incorrect (at least the signature block also mentions Google Inc):

% mkdir meta
% apksigcopier extract com.android.vending_base.apk meta
% cat -v meta/APKSigningBlock
[...]
California1^V0^T^F^CU^D^G^S^MMountain View1^T0^R^F^CU^D
^S^KGoogle Inc.1^P0^N^F^CU^D^K^S^GAndroid1^P0^N^F^CU^D^C^S^GAndroid0^^^W^M080821231334Z^W^M360107231334Z0t1^K0  ^F^CU^D^F^S^BUS1^S0^Q^F^CU^D^H^S
  4 California1^V0^T^F^CU^D^G^S^MMountain View1^T0^R^F^CU^D
[...]

I still need to investigate the data format of the signature block, and how apksigcopier extracts it (file meta/APKSigningBlock reports data, which basically means 'unknown binary').

---

I also somehow dismissed the apksigner answer on stackoverflow (possibly because I couldn't find the tool in Arch Linux, pulling it from Debian worked):

% podman run -it --rm -v "$PWD:/files:ro" debian:stable
root@620cefa1dbcf:/# apt update && apt install -y apksigner
[...]
root@620cefa1dbcf:/# apksigner verify --print-certs /files/com.android.vending_base.apk
Signer #1 certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: f0fd6c5b410f25cb25c3b53346c8972fae30f8ee7411df910480ad6b2d60db83
Signer #1 certificate SHA-1 digest: 38918a453d07199354f8b19af05ec6562ced5788
Signer #1 certificate MD5 digest: cde9f6208d672b54b1dacc0b7029f5eb
Source Stamp Signer certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Source Stamp Signer certificate SHA-256 digest: 3257d599a49d2c961a471ca9843f59d341a405884583fc087df4237b733bbd6d
Source Stamp Signer certificate SHA-1 digest: b1af3a0bf998aeede1a8716a539e5a59da1d86d6
Source Stamp Signer certificate MD5 digest: 577b8a9fbc7e308321aec6411169d2fb
WARNING: SourceStamp: Unknown stamp attribute: ID 0xe43c5946
root@620cefa1dbcf:/# apksigner verify --print-certs /files/base.apk
Signer #1 certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: f0fd6c5b410f25cb25c3b53346c8972fae30f8ee7411df910480ad6b2d60db83
Signer #1 certificate SHA-1 digest: 38918a453d07199354f8b19af05ec6562ced5788
Signer #1 certificate MD5 digest: cde9f6208d672b54b1dacc0b7029f5eb
Source Stamp Signer certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Source Stamp Signer certificate SHA-256 digest: 3257d599a49d2c961a471ca9843f59d341a405884583fc087df4237b733bbd6d
Source Stamp Signer certificate SHA-1 digest: b1af3a0bf998aeede1a8716a539e5a59da1d86d6
Source Stamp Signer certificate MD5 digest: 577b8a9fbc7e308321aec6411169d2fb
WARNING: SourceStamp: Unknown stamp attribute: ID 0xe43c5946
root@620cefa1dbcf:/# 

This demonstrates nicely how this feature is supposed to work, both apk's (the one I pulled from microg and the one you provided) have been released by the same entity (installing an android-sdk shouldn't not become a dependency of this tool though).

---

Something I'm not sure about is how installerPackageName behaves if:

1. You uninstall any app with the id com.android.vending (if present)
2. Install a custom apk with the id com.android.vending
3. Using the custom apk you install your stalkerware apk
4. You uninstall your custom com.android.vending and reinstall the real playstore apk

Would android still list com.android.vending as installerPackageName for the stalkerware apk? Would it list some other value?