AppLovin nonconsensual installs

179 pointsposted 4 months ago
by jhap
(benedelman.org)

63 Comments

lukec11

4 months ago

I looked through the AppHub APK last year after a friend told me they'd found unknown apps installed on their flagship Samsung, and I was very surprised to find some of the same "direct download" references you did.

I've known for a long time that T-Mobile shipped junk apps upon initial setup, but seeing them loaded OTA after a single click on an ad (even a few pixels off of the "x" button) is very concerning. Even putting aside the moral issues with practices like this, that's a huge security hole in a very large percentage of Android phones.

bedelman

4 months ago

lukec11, I would enjoy chatting with you about methods and findings. Send a note? https://www.benedelman.org/mail/

w-ll

4 months ago

ADB can show you what package install'd a package. I've been running a setup but I gernally buy a bunch of the same phone, but after they get wifi they install masive amounts of junk.

bedelman

4 months ago

Yup, can see what package installed a package both via ADB and even in the Settings > Apps GUI. Of course that's a slightly different question from whether the install was nonconsensual.

user

4 months ago

[deleted]

lurtbancaster

4 months ago

> ad tap (just clicking an ad, potentially a misclick aiming for a tiny X button, with no Install button even visible on screen)

> AppLovin’s X’s are unusually tiny, so mis-taps are especially likely

This is why I use Intent Intercept - https://f-droid.org/en/packages/de.k3b.android.intentinterce...

It tells me exactly what's about to happen from my tap(accidental or intentional), and gives me the option to undo my tap.

Every privacy/security conscious Android user should have Intent Intercept installed on their devices already.

cudgy

4 months ago

Makes sense. Pretty sad to have to install a tool like that to get security on a platform that is used by billions of users. Even more shocking that apps get installed just from clicking a small close button on a silly ad without even prompting for the install?

Installing random tools to hopefully get more security, though is risky also. Hopefully that tool doesn’t get compromised as it is privy to all intent activity.

lurtbancaster

4 months ago

> Pretty sad to have to install a tool like that to get security on a platform that is used by billions of users.

You click on a banner ad inside an app, and if you have Intent Intercept installed, it won't immediately register as an "impression" and take you to wherever the banner has been programmed to take you to by default. Since Intent Intercept also affects the ad industry(of which Google is a big part), I don't expect Google to build a similar less-nerdy tool into Android by default.

> Installing random tools to hopefully get more security, though is risky also. Hopefully that tool doesn’t get compromised as it is privy to all intent activity.

Intent Intercept is open source(Apache License 2.0 https://github.com/k3b/intent-intercept) and its release binaries are hosted on F-Droid, arguably the most trusted Android "store" for Free and Open Source apps. So I'm not too worried.

cudgy

4 months ago

I think we should always be worried when installing even open source tools that are injected within operating system functions, especially tools that pull in many external libraries. It adds to the threat surface area.

However, in this case, this tool will hopefully mitigate that risk and, as you said, the creator of the OS is actually a threat too (by leaving their OS vulnerable in order to facilitate their ad business).

OgsyedIE

4 months ago

Are there any apps designed to specifically gate every install, including background OTA installs sent by carriers, because I'm security conscious with my devices but I have family who very much are not.

Ideally, I can just nag my non-tech savvy relatives to let me install such a security app for them and then enjoy having peace of mind for their behalf.

jeroenhd

4 months ago

Not buying a carrier phone or buying an iPhone (which doesn't permit carriers to inject the same type of crap into the device, they can only influence access to certain settings). AppLovin cannot install anything in the background without deep system access, and manual installation of non-Google apps requires confirming at least three popups.

There are antivirus apps on Android that will warn you for this crap, but an antivirus cannot work on an operating system designed to install malware.

taspeotis

4 months ago

Yes: “App Store” on iOS protects you against exactly this.

margalabargala

4 months ago

Having non-tech-savvy relatives throw out their phones, buy thousand dollar hardware and swap to an operating system they are unfamiliar with is an absolutely terrible solution to the problem.

alfalfasprout

4 months ago

Hyperbole of this comment aside, what else do you suggest then?

It's a fundamental tradeoff between allowing multiple ways for apps to be installed or forcing everything through a single installation workflow (a la iOS and its App Store).

margalabargala

4 months ago

Nothing in my comment was hyperbolic. The median price of a current gen iphone is $999. The people OP is asking about are not typical HN users; asking them to change phone operating systems is an unreasonably onerous ask.

OP had a good suggestion for a solution, something that allows gating surprise app installs.

DrewADesign

4 months ago

I’m not saying that you should cajole them into doing something they don’t want to do, but in case it’s useful to anyone else reading this, I had a good experience having family make that switch for that reason. Having used Google, Samsung, and Apple phones extensively, I knew that switching to iOS is way less frustrating than going in the other direction, or even from vanilla Android to Samsung, IMO. The iPhone 16e is more than sufficient for a non-demanding users and is $599 totally unsubsidized, without trade-in, and they really do keep ticking for years for basic needs. (I got them iPhone SEs years ago and they just upgraded recently.) Quite usefully, my family lives near a few Apple Stores, so they can go in and get user support (including backup/phone reset type stuff) for free nearly on-demand, which saved me a lot of time mitigating someone just downloading some bullshit that had a name like “Weather Zone Plus Free Pro Traffic Weather News Games Center Deluxe Free (no ads)” that totally horked their setup.

margalabargala

4 months ago

$599 for a phone is frankly exorbitant for what is required here.

The phone they have have that was being asked about is probably either free or close to it with carrier incentives.

Here on HN we are in a bit of a bubble. Most users of this site can just make a $500 purchase if they want to and not think about it. The median American's liquid savings are well under $10k, and buying the least expensive iPhone is a burden. "Buy an iPhone" is not a suggestion that should be made to a person who would have to put it on a credit card and would be unable to 0at.it off that month.

filmgirlcw

4 months ago

And you can get iPhone 14s for $99 on occasion as long as you commit to prepaid service from Total Wireless/Trac Fone for 3 months (so about $180 - so your total price for the phone and 3 months of service is about $300) or you can use carrier trade-in deals to get hundreds of dollars off an iPhone 17, as long as you stay on a postpaid plan and take the credit over 3 years.

Yes, there are way more options to get sub $500 Android phones, but pretending like an iPhone is too expensive for most Americans when carrier deals are often as good or better for iPhone options (to say nothing of the older phones being sold by Total Wireless and the like) and when more people in the United States use iPhone vs Android is a little bit silly.

We just got $1130 from Verizon for my husband's old iPhone 14 Plus towards his new iPhone 17 Pro (I get a new phone every year so I’m just on the Apple Upgrade plan or I buy it outright each year, whereas he gets a new phone every 3 years or so), making it essentially free (we had to change the plan he was on but it cost the same as the old plan) and if he’d wanted a regular iPhone 17, he could’ve dropped down to a cheaper phone plan too. A 16e would’ve been even less than that.

DrewADesign

4 months ago

I guarantee that a) they can get a hell of a lot more phone than that with carrier incentives, and b) if you compare Android phones released when that phone was released, you’re not going to see anything more than a hundred or two cheaper. And as much as I miss my salary, which was comparatively meager by standards here, I haven’t worked in the software business in years. I’m in my early career in a blue collar manufacturing trade, and not even in a major metropolitan area. I’ve been accepted into means-tested low-income programs within the past 6 months. I’ve got a pretty grounded understanding of what people outside of the Silicon Valley cultural sphere consider reasonable to spend on a phone, and what features they’d expect for it.

renewiltord

4 months ago

Anyone who is trying to save money shouldn't buy the "median" device. Just get an older iphone or the SE if you want it. Doesn't make sense. “I’m in top 10 percent of price conscious users so I want 50th percent device”? Just illogical behavior.

margalabargala

4 months ago

An older iPhone or an SE is still hundreds of dollars more device than these people need.

BoredPositron

4 months ago

It's not even a hundred dollars for the 2020 SE model which still has 2 years of updates in it. For the newer 2022 model it's under 200 from refurb sellers. You can get 13s for under 250. You can even get apple care with the new subscription model and sneak a new battery for 12 bucks. Arguing with bogus facts is bad manner.

margalabargala

4 months ago

You're awfully cavalier with other people's money. Some would call that "bad manners" too since you brought it up.

Buying a $100 phone every other year when offered an android phone for free from the carrier is a meaningfully bad financial decision for people less well off than yourself. You are fortunate to be in a position to not have to worry about money like that, but try to have compassion for people less rich than yourself.

BoredPositron

4 months ago

Oh stop the wiggling. You said hundreds of dollars and they aren't. Now you are switching your argument to "free phones" there are no free phones you still pay for them. In lower income countries your carrier even installs malware as part of their bloat itself. The backmarket prizes in these countries are even more attainable for older iPhone models. Instead of paying your shady carrier you can finance the refurbs. Just stop making shit up and the petty emotional misdirection when you are called out. Judging from your other comments in themis thread it's your go to discussion instrument...

margalabargala

4 months ago

You're making an impressively bad faith argument here.

Yes if you buy an ancient device it is less. If we compare apples to apples, or apples to androids, you could buy an equally old android device for next to nothing. Any "wiggling" was because the discussion was about new devices before you decided to pretend to miss the context clues.

You are delusional if you think that there exists an iPhone that is not much more expensive than a lower end Android of a similar age. All the namecalling and pretending in the world won't make it otherwise.

anonymars

4 months ago

> 2020 SE model which still has 2 years of updates in it

> You can even get apple care with the new subscription model and sneak a new battery for 12 bucks

> you could buy an equally old android device for next to nothing

Is that Android device going to have any support or security updates or battery life?

colechristensen

4 months ago

On the other hand, iOS is popular because of quality issues like this. Android is only as good as it is because of the competition from Apple.

Before the iPhone you couldn't even get the "cool" phones in America, Japan had so much better things available and everybody envied what wasn't available here.

The reason we have any control from the carriers was the power Apple had and the stubbornness of Jobs.

A lot of the battles being lost by Apple are being won by groups who will make the ecosystem worse.

margalabargala

4 months ago

I mean sure, the iPhone did a ton to create the modern smartphone as we think of it. If you as a user care about that history and want to support what Apple does, you should buy their devices.

That doesn't make it a reasonable device for a sizable segment of the non-tech-savvy population though.

lukev

4 months ago

It definitely can and should be a factor when choosing what hardware to set your relatives up with in the first place, though.

OgsyedIE

4 months ago

It's much too late for that in both my case and the same case for probably tens of thousands of others.

loeg

4 months ago

Many people are buying new phones every couple years. That's a new opportunity to switch.

cudgy

4 months ago

If you leave your front door open, you’re gonna get a lot of strangers and stray animals in your house. If you don’t have the desire to close the door, I guess you’ll just give in and get familiar with your new roommates.

I’ve never understood why people use android, which was built by the largest advertising company in the world. A company with a history of violating privacy, scanning personal data for advertisement purposes. Also, what amazes me, is that many technical, well-informed people continue to use standard android os, knowing full well that they’re giving up major privacy protections and using a much less secure platform than alternatives like iOS. I’m sure there’s good reasons for it that people have and can rationalize.

The main rationalization that I have seen from technical people is that they just hate Apple. They’ll never use Apple, even if they have to give up significant privacy. Other people like the fact they can customize the device (which I like as well), but unfortunately, makes it easier for bad actors to customize your phone in ways you don’t want.

FredPret

4 months ago

Take the hourly billing for those of us who work that way. Multiply by family tech consulting time. It's probably cheaper to buy an iPhone for everyone!

At least this used to be true in the halcyon days when iOS was simple.

Nifty3929

4 months ago

The same "walled garden" app store that is much maligned on HN?

Dylan16807

4 months ago

The only walls that need to be in place to prevent this are against malicious carrier app stores. There's no need to restrict users here, which is what people complain about.

Stopping carriers from ruining phones is quite popular on HN from what I've seen.

ChrisMarshallNY

4 months ago

Yup.

Geeks don’t like it.

But Apple is a three-trillion-dollar corporation, because most folks aren’t geeks.

MrDarcy

4 months ago

I’d bet a large sum of money the safari user agent holds the top spot for total number of mobile users for Tuesday US office hours. Maybe dang can validate or reject the hypothesis.

user

4 months ago

[deleted]

nicoburns

4 months ago

You could try looking at "MDM" products. They're mostly targeted at corporations, and tend to be server based (OS calls the server directly) rather than on-device apps. But they can do some of these kinds of things.

kokada

4 months ago

Modern Android devices now have the "Device Protection" option that does a bunch of things, including disabling side loading. And I think you can enforce this via work profiles too.

rgovostes

4 months ago

How does the platform even allow a single tap on an ad to install an app?

Edit: Discussed somewhat here https://www.benedelman.org/applovin-permissions/. Seems like it's abetted by garbage from the carrier.

Something for iOS to look forward to?

jeroenhd

4 months ago

iOS famously doesn't allow reloading themes or software. It's part of why they struggled to find a carrier to launch with in the beginning, because carriers modifying phones used to be the norm.

There are settings carriers can push to iOS (access to features like tethering, some network configuration stuff) but this type of malware cannot be pushed onto iOS. At worst, carriers push shitty Java applets to the (e)SIM, but that's all sandboxed off from any user interaction.

lysace

4 months ago

You neglected to mention Google's Android. It's business model that maximizes for reach over everything else is the root cause.

margalabargala

4 months ago

The two options are reach over all else, or control of its customers and overcharging them at every turn over all else.

One is not obviously better than the other, though I'll grant that Apple has managed to get their users to a place where being subjected to them has become a point of pride, which is impressive.

Dylan16807

4 months ago

If we look iphone versus the direct google phones, both are quite expensive and at this point google's about $800/TB for storage upgrades is actually worse than apple's price.

margalabargala

4 months ago

Yes the Pixel phones are just as unaffordable as iPhones in this case, you're right! Google and Apple are the same here. If you want an inexpensive phone you must look for an Android phone that is not made by Google.

bedelman

4 months ago

Ben Edelman here, author of the page you linked above and the full article at https://www.benedelman.org/applovin-nonconsensual-installs/ (linked from top of this page). Happy to answer any questions.

nightpool

4 months ago

I think the structure of this article definitely made it harder to find the details to some of these questions—the fact that it's posted as 5-8 different "blog" entries instead of a single webpage made it harder then it needed to be to get to the technical conclusions section. Also, some of the method call listings on this page: https://www.benedelman.org/applovin-execution-path/ were unnecessarily verbose, and duplicative with the later pages that actually explained the flow in more detail e.g. https://www.benedelman.org/applovin-execution-sdk/

Having all of the sections of the article on the same page would have helped surface and resolve a lot of these potential editorial issues.

bedelman

4 months ago

Thanks for these suggestions. You may be right. I split the article into pages based on feedback from early readers that it was too long. Custom nav bar in the top-right, but maybe still not quite right. I've never previously posted anything of this length or complexity.

Thanks also for reading so carefully. My web stats say many people stopped at the summary!

bedelman

4 months ago

Bloomberg reports both that Applovin says they did get user consent ("Users never get downloads with any of our products without explicitly requesting it") and that they're nonetheless shutting down the app install business because it was, supposedly, "not economically viable."

https://www.bloomberg.com/news/articles/2025-10-15/applovin-...

andy

4 months ago

I reported problems about applovin sdk clicking on/opening ads on ios apps like a decade+ ago. have never used them since.

doctorpangloss

4 months ago

AppLovin has been doing this for a long time. BlueStacks and some other vendors have been doing this for literally a decade.

The root problem is that Google Play is poorly curated. One problem it has is that it ranks apps that have many downloads higher than those with fewer downloads. AppLovin is used to boost downloads for the purposes of the Google Play algorithm.

Of course, this is known to Google.

bedelman

4 months ago

Are you sure BlueStacks installs apps without user consent? I know BlueStacks as an emulator to play Android games on PC and Mac. That's a legitimate business, 100% consistent with what users want. Versus what I (author of the piece linked above) reported is that AppLovin is installing apps that users don't want -- installing silently, installing when users tap X, installing after a quick (5 second) countdown.

doctorpangloss

4 months ago

> Are you sure BlueStacks installs apps without user consent?

You think deeply about that question.

donsupreme

4 months ago

I really hope Unity gain more mobile gaming ads market shares away from AppLovin.

FredPret

4 months ago

AppLovin makes a gargantuan profit margin of 45%:

https://valustox.com/APP

Even so, I avoid stocks that don't have a sustainable, value-based business model.

bradybd

4 months ago

Quite damning evidence

like_any_other

4 months ago

> Why would Samsung, T-Mobile, and others grant AppLovin the ability to install apps?

Exotica like Fairphone and PinePhone are starting to look pretty good...