How does the Facebook Android App install Facebook Messenger?
I was very surprised when I found out that the Facebook app on Android apparently is able to install the Facebook Messenger app without asking for permission.
I'm aware that it is possible to install an app via another app, but the user needs to confirm the installation via a system dialog. In addition to that, on newer Android versions the user needs to give the "install from unknown sources" permission to the app that tries to make install requests.
Yet, i have not granted Facebook any install permission and there was no sysyem level dialog asking me to confirm the installation. I have also made sure that Messenger wasn't already installed before.
Im using a Poco F2 Pro running Android 10 (Miui 12). I observed the same behaviour on different devices. What kind of magic is used by Facebook here?
If you allow it to install, and check the app settings for messenger afterwards, you'll most likely (depending on version and device) see at the very bottom what app installed it. On my devices, it says something like this:
Now this is key: Notice that it's not saying Google Play, nor Facebook itself. It mentions "Facebook App Installer".
So what is this? Well, go into Settings > Apps to look for it. More than likely, you'll find 2 apps here; "Facebook App Installer" (com.facebook.system), and "Facebook App Manager" (com.facebook.appmanager).
Now, it seems that these two apps come preinstalled on a lot of android devices (most?), and they are responsible for installing updates to the Facebook and Facebook messenger app. I haven't decompiled these and dug into them just yet, but the fact that "Facebook App Installer" is listed as the installer of all Facebook related apps, and the fact that Facebook App Installer comes preinstalled should tell you all you need to know to answer the question here of how Facebook circumvents the permission requests to install messenger.
For the sake of completeness I'll also mention
- Neither of these two apps are mentioned in "Install unknown apps" (
Settings > Apps > Special access > Install unknown apps). - Facebook App Installer doesn't have any "dangerous" permissions listed in it's app settings. The only permission listed is "retrieve running apps".
- Facebook App Manager also does not have any "dangerous" permissions listed in it's app settings. It does have some permissions that aren't marked as dangerous. Namely:
View network connections,prevent phone from sleeping,measure app storage space,run foreground service,run at startup,have full network access,download files without notification,view Wi-Fi connections. Nothing really surprising here.
So to summarize. There's preinstalled apps on your phone. All things related to Facebook are installed and managed through these two apps instead of through the usual channels.
Due to the nature of Facebook there's quite a bit of speculation and hearsay essentially accusing these apps of data-collection on devices and other various nefarious purposes.
Searching for these didn't really give me a lot of information: But they are nonetheless discussed on the following links. Please note that most of these links link to community content, and so they tend to contain a lot of Facebook paranoia and sensationalism.
https://www.facebook.com/help/android-app/812681095504818 This link is facebooks own help-page that briefly mentions these apps in passing in describing how to disable facebook app updates.
https://support.google.com/android/thread/25263840?hl=en It's also mentioned briefly here, on a support thread on Google Community Android Help.
https://forum.xda-developers.com/tmobile-lg-v10/help/suspicious-apps-apps-section-facebook-t3415876 Briefly talks about how to remove (seems you must root your phone to truly get rid of this). It also links to https://www.theregister.com/2018/05/22/facebook_data_leak_no_account/ which seems to speculate that these two apps collect data from device even when the Facebook app (and messenger) isn't installed on device. Meanwhile https://thenextweb.com/finance/2019/01/09/no-samsung-isnt-pre-installing-facebook-on-your-phone/ says the reverse thing; that these two apps does not collect any information on their own.
- EventBus - Subscriber class and its super classes have no public methods with the @subscribe annotation
- Check for navigation bar
- How to manually set the FirebaseAuth User emailVerified status to true
- You can't submit updates as some information about your app is incomplete (Google Play)
- Android Ethernet and Wi-Fi at the same time
- How to create a Custom BottomNavigationAppBar in jetpack compose?
- How to capture app traffic on Android
- How to unzip, edit and zip an android apk
- Change password with Firebase for Android
- How to avoid reverse engineering of an APK file
- HTTPResponse debugging with the android emulator
- Using cookies with Android volley library
- Kotlin - Most idiomatic way to convert a List to a MutableList
- Gif image is not working in android in react native
- Flutter: Execution failed for task ':app:compileDebugKotlin'
- How to implement Container Transform with Material Motion on Jetpack Compose
- How to use Google Cloud Translation API in Android Studio?
- Retrofit always calling onFailure even response is 200
- Add intent extras in compose UI test
- How to set Google Vision QR Scanner to detect only one value?
- SignalR Client implementation in unity works in editor but not in Android
- Jetpack Compose Material3 Pull to Refresh functionality
- How can I align vertical center contents in Android Compose VerticalPager
- How can I achieve before-after animation in Jetpack Compose?
- Setting requestedOrientation results in crash
- Android Studio 3.1.3 - Unresolved reference: R - Kotlin
- Android Wrap Shell Script Doesn't Work as Expected
- I can't backup my realm database in External Directory because of mkdirs()
- At what point can I get the width of a view in a RecyclerView?
- Android-studio ERROR: Cannot add task 'copyDebugIconFonts' as a task with that name already exists