Hey, I have installed F-Droid on my LG G3 phone and after week later I noticed there is an unknown application running on my phone that I didn’t install, it had a Turkish name and a Turkish developer. I wanted to come up here and see if anyone else ever had this issue or encountered such spyware installed through F-Droid because of it did its possible F-Droid was compromised by foreign governments like Turkey.
Unless you installed the privileged extension, F-Droid can not install apps without requesting your confirmation (Android system limitation). Even if F-Droid was compromised, you would still have to confirm installs manually. If the app appeared without showing a confirmation dialog, it is not possible that it was installed by F-Droid.
And you can’t spell the name of the app? Attach a screenshot? Link? Anything?
I live in turkey. Can you write the name of the application and the developer?
(Ben Türkiye’de yaşıyorum. Uygulamanın ve geliştiricinin adını yazar mısınız?)
me frdoid also instal türkiyen spiware on my phone!developer name is ‘senrayo çoküğu’ amnd the app name has ‘cesis yazılınn eğiancIiedir’.plaese delet app now!i make legal ection else!!
Link to f-droid.org please
here is link: link
Funny… To the app on F-Droid please…
Would you mind listing all or some of your other F-Droid applications so we can try to figure out if another app may be enabling this exploit or if this is an exploit at all.
They need to list ALL apps, F-Droid, preinstalled, system, etc
If Turkey could target download dot com or 7-zip dot org, what stops them from targeting f-droid’s apk download too?
And then there’s recent news about Turkey passing a “social media regulation bill”…
So since one won’t install software actually FROM fdroid this concerns us how?
Because you advertise concern for security, including initial installs as “a potential vector of attack that built-in app stores do not have.” Oddly it was not easy to find anything on how to check the download, on f-droid dot org.
So if they modify that file…the can’t modify the means of verification (hashsums) too so it checks out?
I saw that forum post (and other), but it doesn’t look authoritative, nor consistent with:
BTW, at that page, official binary releases: https:… acts like a bad link.
Isn’t protecting your private keys the (cough) key thing to prevent fake signing?