Meiklejohnian absolutist. free speech as in free-for-everyone.
mutuals: 
First thing I see when I decompile the app is this, which is a broadcast receiver for "http://com.android .vending.INSTALL_REFERRER", so unfortunately they are doing it the boring non-root waypic.twitter.com/0IDg2yl1K4
Show this thread
This got me curious, because root privileges aren't needed just to detect newly installed applications, so hooking play store to do this would be wild. I took a look on the Play Store and found this "battery saver" app published by ad-tech company TappX. https://play.google.com/store/apps/details?id=com.tappx.flipnsave.battery …https://twitter.com/nandoodles/status/1345790410673815553 …
For ex, one ad network launched “battery saver” style apps in Google Play, giving them root access to your phone.
When you type the word “Uber” into your Google Play, it auto-fires a click to make it look like you clicked on an Uber ad and attribute the install to themselves.
Show this thread
-
-
-
They tried to obfuscate whatever this class is doing and where the information is being sent by encrypting all of the strings constantspic.twitter.com/uSHLSNYzaK
Show this thread -
Looking at the decryption method, the keys were right there, so I just made my own copy of the entire class, because I didn't feel like reimplementing Java crypto weirdness in Python.pic.twitter.com/OaDHO0yl19
Show this thread -
I then used APKTool to grep for all instances where this method is used, extract the string constant passed to it from the smali source code and decrypt all of the strings.pic.twitter.com/OgWjg1Zi4i
Show this thread -
So, yeah. Someone is doing something shady here and went through some effort to (badly) hide it. APK for anyone who wants to take a look themselves: https://donk.sh/d/sr2qsok82k.apk …
Show this thread -
(i am having issues with my hosting provider so the link is unavailable atm. you can grab it yourself off apkpure)
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.