![\"\"](\"http:\/\/jebware.com\/blog\/wp-content\/uploads\/2018\/01\/Screen-Shot-2018-01-02-at-2.49.57-PM.png\")
<\/p>\n<\/p>\n
As happens with successful and interesting apps, somebody made impostor copies of the Guardian Project’s Haven app<\/a>, which got a lot of press due in part to Edward Snowden’s involvement<\/a>.\u00a0 As of this writing, the copycat has a dozen listings on the Play Store, all with little variations in the name.\u00a0\u00a0(Hat tip to @rettiwtkrow<\/a>, whose tweet was the first I saw of it).<\/p>\n Interestingly, the fake apps have a\u00a0slightly<\/em> different icon from the real app.\u00a0 Below is the real app’s icon on the left, and the fake app on the right.<\/p>\n When you open the fake, it’s immediately clear that they’re just using the name to drive downloads, and the functionality of the app isn’t even trying to look real.\u00a0 It’s a run-of-the-mill crapware “cleaner” app.<\/p>\n It has a tab bar across the bottom, and each tab is a different tool: “Charge Booster”, “Battery Saver”, “CPU Cooler”, and “Junk Cleaner”.\u00a0\u00a0\u00a0\u00a0They show some made-up stats about the device, and make promises they can’t deliver.\u00a0 For the most part, as you run one of these tools, it displays an animation (that isn’t actually tied to any real work being done), and then a full-screen ad.\u00a0 After one tool, I was presented with a fake Facebook sign-up page.<\/span><\/p>\n If you try to apply the “Ultra Power Saving Mode” it sends you to the OS settings app to enable “Allow modify system settings”.\u00a0 I found this alarming, and assumed this is where I would find the nefarious code.\u00a0 So I decompiled the app and poked around, and was honestly pretty underwhelmed.<\/p>\n I should note that the impostor app’s targetSdk is 24,\u00a0meaning it has to ask for permissions at runtime, which is nice and a little surprising, given that Google isn’t yet forcing developers to do so<\/a>.<\/p>\n Anyway, I need not have worried –\u00a0after you grant this app the ability to modify system settings, all it does is turn down your screen brightness, disable autorotation, and disable background syncing for other apps.<\/p>\n (such battery savings. many mAh. very wow)<\/p>\n The bottom line is that these copycats appear to be using the Haven name and publicity just to drive downloads, then make a quick buck off of advertising.\u00a0 I couldn’t find any evidence of anything more sinister than that.<\/p>\n For my last point, let’s talk about attribution. I can’t say for sure<\/em>, but I have an educated guess where this came from.\u00a0 There’s an app which is almost entirely the same code on the Google Play store.\u00a0 Unlike the Haven copycats, this app has accurate\u00a0screenshots on the Play Store<\/a>, and the UI matches the Haven impostors.\u00a0 Either this is the same developer, or it’s a false flag.\u00a0 I can’t rule that out, so I’m not saying this with 100% confidence, but a preponderance of the evidence surely doesn’t look good for that developer.<\/p>\n I assume Google will be along shortly to remove the offending copycats (and hopefully terminate their ad accounts, and the rest of their apps under both publisher listings).\u00a0 But it’s an important reminder that copycats exist, and it’s important to remain vigilant.<\/p>\n","protected":false},"excerpt":{"rendered":" As happens with successful and interesting apps, somebody made impostor copies of the Guardian Project’s Haven app, which got a lot of press due in part to Edward Snowden’s involvement.\u00a0 As of this writing, the copycat has a dozen listings on the Play Store, all with little variations in the name.\u00a0\u00a0(Hat tip to @rettiwtkrow, whose … Continue reading “Reverse-engineering the fake Haven apps”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"twitterCardType":"summary_large_image","cardImageID":0,"cardImage":"http:\/\/jebware.com\/blog\/wp-content\/uploads\/2018\/01\/Screen-Shot-2018-01-02-at-2.49.57-PM.png","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/459"}],"collection":[{"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=459"}],"version-history":[{"count":10,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/459\/revisions"}],"predecessor-version":[{"id":481,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/459\/revisions\/481"}],"wp:attachment":[{"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=459"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=459"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jebware.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"http:\/\/jebware.com\/blog\/wp-content\/uploads\/2018\/01\/icons-combined.png\"){kind=icon}
<\/a>I downloaded half a dozen of these copycats and started reverse-engineering them.\u00a0 The copycats are all the same as each other, only the package name changes.\u00a0 But they’re all completely different from the real app.\u00a0 I wondered at first if they might have ripped off the real app’s code since it’s open source<\/a>, but no.<\/p>\n![\"\"](\"http:\/\/jebware.com\/blog\/wp-content\/uploads\/2018\/01\/0-first-screen.png\")
\u00a0 \u00a0![\"\"](\"http:\/\/jebware.com\/blog\/wp-content\/uploads\/2018\/01\/ezgif-3-0dd45d83be.gif\")
\u00a0 \u00a0![\"\"](\"http:\/\/jebware.com\/blog\/wp-content\/uploads\/2018\/01\/5-fake-facebook-signup.png\")
<\/p>\n![\"\"](\"http:\/\/jebware.com\/blog\/wp-content\/uploads\/2018\/01\/6-system-settings.png\")
<\/a><\/p>\n![\"\"](\"http:\/\/jebware.com\/blog\/wp-content\/uploads\/2018\/01\/3dDoge.gif\")
<\/a><\/p>\n![\"\"](\"http:\/\/jebware.com\/blog\/wp-content\/uploads\/2018\/01\/Screen-Shot-2018-01-02-at-3.50.20-PM.png\")
<\/a>Then I got a little worried again when I saw the app has a BroadcastReceiver that runs immediately when the app is installed or updated.\u00a0 This means the app has code that runs in the background even if you never open the app.\u00a0 But again, I shouldn’t have worried because all it does is try to show a toast message saying “[app] Is Optimized by Fast Cleaner & Battery Saver.”<\/p>\n![\"\"](\"http:\/\/jebware.com\/blog\/wp-content\/uploads\/2018\/01\/Screen-Shot-2018-01-02-at-2.50.19-PM.png\")
<\/a><\/p>\n