Phishing Warning - Gadgetbridge

App installed from here starts without permissions and shows over other sensitive apps like Whatsapp and banking (without even showing in the permissions control panel!)

Uninstall and check your passwords!!!

Ain’t that like…its function?

Use your Android Settings to not-allow it over sensitive apps…

1 Like

Do note that maybe the word you are looking for is NOT phishing.

ref: Phishing - Wikipedia

How application do phishing? I’m using Gadgetbridge rarely for half year, and system shows 0.0 MB data usage. So how it can phish without network traffic?

Let me rest my case. What events happened that led me to that conclusion.
I was using Gadgetbridge to send notifications to my banglejs smartwatch.
Everything worked great.
But I don’t use the watch permanently.
So when I was not using it, android was showing that gadgetbridge app was open in the background all the time.
At first I didn’t care. Then, I started to open the app info and stopping it manually.
But it started again by itself. Even when it had that option unchecked inside the app.
I kept closing it manually.
One day I received a message that my credit card was used to buy some online thing. Not a lot of money, but it was not me.
I canceled it, but I wondered.

Then when I had Whatsapp opened, android (or WhatsApp) notified me that an app was showing on top of it.

Then 2+2, gadgetbridge wasn’t behaving normally and was showing over other apps. My conclusion: data gathering or spying, so uninstalled it.

I may be wrong, of course, but when one app starts by itself when you don’t want it to, it is, at least, suspicious.

You didn’t rest anything, or added any new info. Coincidences at best.

Same here: QKSMS compromised?

Start at boot? Isn’t the app relaying messages/calls/notifications to the wearable device? It needs to be running to do that, right?

The autostart has a Setting, is that not working? then report the bug to the developer

Please provide the links to the source code, that pertain to spying and credit card fraud and etc: Freeyourgadget/Gadgetbridge: A free and cloudless replacement for your gadget vendors' closed source Android applications. See the list for supported devices. - Gadgetbridge - Codeberg.org

1 Like

I don’t know what’s the topic starter’s issue, but I haven’t had my phone number misused ever since I took away QKSMS’ permissions. As I stated, I don’t have the knowhow to examine Java binaries and it seems awfully convenient to just bully and gaslight those who don’t and therefore can’t prove things.
And stop pointing at the bloody source code. Any step of the process that produces the binary could be compromised, including F-Droid’s infrastucture or even compiler software. Can’t prove the binary is safe - didn’t prove anything.

If you really want to help - look at QKSMS binaries. Especially considering I wasn’t the only one reporting issues.

No, you take a look, since you think you know what it does bad. Get a proof of all that you were saying. :man_shrugging: Setup your own fdroidserver, build, setup another one, say different distro, try again, see if you get the same binary, etc. This takes time, and expertise, yes we know, but this way your words can stand on something more than “i sink I thaw a puttycat”

2 Likes

I’ll tell you what I’ll do instead. I will delete F-Droid and everything installed through it, and from now on I’d rather take my chances with binaries uploaded by developers to their GitHub Releases, whenever those are available. At least that way I can know that removing the problematic app will resolve the issue and that it’s the developer signing the updated binaries with their own private key and not a shared centralized F-Droid key that can be used to sign any malware.
Thanks for nudging me in the right direction.

If you check the sha256sums of Gadgedbridge or QKSMS on www.virustotal.com (yes, it’s a service of Google) then all of the following hashes have the status:

“No security vendors and no sandboxes flagged this file as malicious”

6b9f467ec808597b48de8f92c9770f3a6e7a9e27712ec157b798f9b54dee14de  com.moez.QKSMS_2215.apk
198a1686fa7d6a747d3b9e61dd99edfe6f9cf0677637b3d5b6918f1082f2f6ac  com.moez.QKSMS_2216.apk
675c66fe136ddaacdc1ff7b480bf753809a609ce26bbd2af0a3c757217583b7f  com.moez.QKSMS_2218.apk
946b4e5b5891f925a0db96da5c65180056d16e74faf6a7979303ed9be5b0263b  nodomain.freeyourgadget.gadgetbridge_208.apk
5175b598ad12e556bfde6887036e3aa68ddf2cf58af1fc3d54f577f0db062e23  nodomain.freeyourgadget.gadgetbridge_209.apk
864092e4ce8474df0c70144ad11d2c11ea394f52cb4ee453e1852d99618d0470  nodomain.freeyourgadget.gadgetbridge_210.apk

So they apparently pass the checks of 50+ security vendors.

But you are right: if you are not comfortable with the software on your phone then uninstall it.

1 Like

Note: This post was prepared with vim in Termux, after uninstalling Farmer Editor, because it is dev’d on microsoft github. Termux is too, but one thing at a time, and weighing cost/benefit…

I have Gadgetbridge on a spare phone, used to install OS updates on a semi-smart watch. All the behaviors described above are consistent with permissions listed in F-Droid: starts on boot, runs in background, watches bluetooth status (and much, much more). I also didn’t enjoy it popping into action whenever bluetooth was started for other reasons, but it is clearly consistent with Gadgetbridge’s intended functions. Gadgetbridge also gets kudos for dev’ on Codeberg.

Aside on coincidences: One poster who says he is in Russia opens a new account at the time Ukraine invasion was launching, with fud on Qksms, a very popular app. Another poster using Z, a symbol of Russian armed forces, or supporters, opens a new account now, as the invasion isn’t going so great, with fud on Gadgetbridge, a very popular app…

installing apps outside F-Droid.

I’ve had my own doubts on F-Droid, and whether their reviews add enough value to justify the slowness…

But why now? Is it spreading discontent and keeping minds distracted from bigger world events? Why suggest installing apps straight from dev’s? Could it be to make it even easier to spread malware, outside review channels (such as they are)?

This post was flagged by the community and is temporarily hidden.

1 Like

This post was flagged by the community and is temporarily hidden.

This post was flagged by the community and is temporarily hidden.

Gadgetbridge permissions are explained here. Services are started automatically on boot, notifications and bluetooth, based on:

android.permission.RECEIVE_BOOT_COMPLETED
android.permission.BIND_NOTIFICATION_LISTENER_SERVICE
android.permission.BLUETOOTH
android.permission.BLUETOOTH_ADMIN

Which means that as long as you allow Notifications access (required to be able to forward notification to the connected bluetooth device), each notification will trigger (and start if not running) the Gadgetbridge notification listener.

We also have our own F-droid repository for Nightly releases, if you prefer to have code from the current master.

2 Likes

Just a final response to a now hidden post. I don’t know how I am the one spreading FUD, when actual F-Droid contributors comment evidence about potential malware on their platform like this: “Oh yeah, we’re 10 times more qualified than you are to do the required analysis, but we ain’t gonna move a finger to prove our platform is safe”.
I think everything that needs to be known about F-Droid is in Licaon’s posts. Cheers.

But do click the little pencil to see how Relan (also from Russia) hid discussion of “coincidences” re timing, Russia, and apps FUD.

Now that the latest f-droid app update 15.x fails to install updates, we may be both installing without using f-droid app, for different reasons.

I think we agree on the Communications (lack of) Department.

Whatever makes you safe/happy, of course. We just don’t like to have accusations without proof.

If such proof appears we’ll tag the app, will fix the recipe, will disable the version or the whole app.

Until then? No… nothing.

Be sure to update regularly.

To be fair, since they use the same tools they’ll get the same malware mostly, but hey…

The problem with open source is that everything we do is… fully transparent. Actually I’m not qualified to do anything I do around here, I’m no dev, lol. Then again it was not about qualifications but about proofs. You could pay a qualified analyst to do the work for you. An independent one, maybe I’m biased or smth.

Which issue is this? Oh, you can post on Gitlab? Which forum thread is this? 1.15 (not yet recommended for stability reasons just in case, you’ve enabled “unstable apps”, right?) works fine for me, and the alphas worked too. What issue did you encounter?

Except the 20% hidden from public, and other private channels.

1.15 (not yet recommended for stability reasons just in case, you’ve enabled “unstable apps”, right?)

F-Droid app says 1.15 is recommended, to me.

works fine for me, and the alphas worked too. What issue did you encounter?

As said, it:

fails to install updates

and crashes.

No, you take a look

Do test upgrades with it on a couple older devices and see. Testing and documenting detailed results takes time…