So this just happened - those of you who have a Xiaomi phone know when you install apps it has it’s own “Virus Checker” screen which comes up before the app is approved for install. This is provided by Avast I just found out…
Anyway while installing an app from F-droid today I got an error message on this screen - which said “app from unknown source” and two buttons below - “Ignore” and “Install”. So I clicked on “Install” since I wanted to install the app and then noticed that the install process seemed a bit different (I can’t remember what happened exactly) but I checked the app on F-Droid and the version history wasn’t available - which a notice says means the app was installed from Play Store or somewhere else. But I just installed it from F-Droid!
So I tried another few apps and it happened again for one of them. I clicked around and there it was, some sort of Xiaomi app store installing versions of the app instead of the one I told my phone to install.
I guess there is an innocent explanation for this - stopping people from installing malware and giving them a “correct” version of the app they wanted - but I have disabled it on my phone, I know what I am doing and if I want the cracked version it’s because that’s the version I meant to install ;)
Is it possible the scanner is just intercepting the install request, then running the apk installer from the scanner afterwards? (so Fdroid wasn’t the program installing it, but it’s still the same APK)
If it were the same APK, f-droid wouldn’t later see a signature mismatch.