A strange event today has a lot of Samsung Android owners rightfully worried about malware on the Android Market. We've received a raft of tips from users who have discovered an app titled "МТС Мобильная Почта" (MTC Mobile Mail) on their Samsung devices, an app they never installed and are finding it difficult to uninstall.
As near as we can tell, the issue appears to be this: Samsung has several pieces of software that it installs on it devices but that aren't in the Google Play store (for obvious reasons). However, every single Android app has an app name that identifies it on the Android system, in this case the "unique" name is com.seven.Z7, which identifies Samsung's email app. What appears to have happened is that Russian developer OJSC Mobile Telesystems gave that unique identifier to its "МТС Мобильная Почта" app, and so these Samsung devices were tricked into thinking it was an update to Samsung's email client. Since Google Play allows for automatic updating of all apps, it
was installed on many devices appeared on the "My Apps" section within Google Play (see update below).
The identical app name and signing certificate is likely just an unfortunate mix up
Unfortunately, we don't have a clear idea as to why this company gave this app that ID but don't believe that it had malicious intent by doing so — early indications from the folks at xda-developers indicate that the app is not a threat. For those of you steeped in mobile history, you may remember that Seven created popular email services for Windows Mobile back in the day, but now the company has moved on to providing those services as a white label, hence the com.seven.Z7 app id on Samsung's email app. It's possible (and likely, actually) that OJSC simply received the same white label service from Seven and the identical app name and signing certificate is an unfortunate mix up.
There are a couple of issues at play here. First, Google Play needs to be more intelligent about automatic updates for carrier-installed apps that are already on the phone, the fact that merely having the same App ID appears to be enough to get software
installed via an automatic update is potentially a serious security problem (See update below). Second, although it doesn't appear that OSJC was acting maliciously, giving its email app the same App ID as one already in very common use was a mistake — although to be fair that App ID wasn't yet in use on the Google Play store, only within Samsung's own ROM. Then again, this is not the first time that this issue has cropped up.
Right now, it looks like that the process for removing the app may require some Android hacking skills, but we have reached out to both Samsung and Google to get more details. In the meantime, "МТС Мобильная Почта" has been taken down from the Google Play Store. We'll let you know when we hear more.
Update: As we suspected, Seven seriously erred in giving the same App ID and signing certificate to two different apps, and that's the core problem. We spoke with Google, who provided some clarification on what happened here. Google says that there was a bug that caused the Russian version of the mail app to erroneously appear in the "My Apps" section of Google Play for a large number of Android users. However, Google says that it disabled the app some time ago, so it was never actually installed on any devices. Google is currently working on a fix for the "My Apps" issue.
Thanks to everybody who sent this in!