Material Notification Shade Contained Shady Library from Oxylabs

Two of the more popular Android customization apps, Material Notification Shade and Power Shade, were taken down from the Google Play Store last week. At the time of takedown, both apps had over 1.5 million combined installations. The apps allow the user to “customize” the notification menu and quick settings panel. This is achieved through gesture-detection triggered overlays, instead of any modification done to the actual System UI.

The stock Android notification menu is notoriously difficult to customize without pulling apart the SystemUI.apk. Only a small handful of Android device manufacturers have built-in methods of customizing the notification menu, like Samsung devices through the Samsung Theme store. Another subset of Android users can download Substratum themes which can customize various system UI elements, if their ROM supports OMS theming – which is not a very big list.

Thus, Material Notification Shade and Power Shade were both seen as great alternatives for either basic Android users, or advanced users who do not have an OMS-capable ROM. However, Google suddenly pulled both apps from the Play Store, which meant that the apps were automatically removed from pretty much everyone’s devices (that have Google Play Protect enabled, which is a majority of users).

Why was Material Notification Shade pulled from Play Store?

After some speculation on Reddit, AndroidPolice reached out to Treydev Inc. who admitted that the apps contained “library code” that “wasn’t his own”. Google flagged the apps as malicious because they were leveraging proxy requests to “retrieve content from specific websites”. Popular Google Play Store alternative APKMirror also put up a warning on the download pages for the apps:

APKMirror warning for Material Notification Shade app.

Treydev Inc. released a few statements on his official Google+ account, mostly answering questions from customers. Aside from announcing that he was re-uploading the apps without the offending libraries, he explained a bit what the libraries were (and where they came from).

Why was OxyLabs library in MNS?

Treydev Inc. mentions that the library was provided to him by Oxylabs, and that the library nor his apps were involved in any data mining. It’s worth remembering, however, that Oxylabs specializes in data-mining technology. From their own website page “What is Oxylabs?”:

“Oxylabs is a tech company specializing in large-scale web data extraction. We focus on helping companies extract essential business intelligence data.”

Oxylabs is a part of Tesonet, a large Lithuanian corporation that consults many digital businesses. In late 2018, HolaVPN raised a lawsuit against Tesonet for copyright infringement, claiming that Tesonet is using HolaVPN’s patented proxy network technology.

“.. the OxyLabs residential proxy network is based upon numerous user devices, each of which is a client device identifiable over the Internet by an IP address… these user devices become part of the network through the execution of Tesonet code embedded in applications downloaded by that devices user.”

In a nutshell, the users device becomes part of the proxy network (some might call it a botnet) when the device becomes idle. Companies that use this strategy consider it a “fair trade” for an ad-free app, as the user simply shares a little of their bandwidth towards the proxy network.

This lawsuit became quite infamous, as it dragged popular VPN service NordVPN into the mix as well, with claims that NordVPN is owned by Tesonet – thus implying that NordVPN, a privacy-focused VPN, is engaging in customer data mining practices. It’s important to remember that these are merely allegations in the lawsuit, and many online journalists in the tech security industry have come to NordVPN’s defense. We recommend researching more information on the case (Google ‘HolaVPN vs Tesonet’), as it goes far deeper than we’re able to summarize in this article.

What does remain, however, is that Oxylabs (owned by Tesonet) inserts technology in mobile apps that does what we described earlier – turning the device into part of a proxy network when the device becomes idle. Whether or not this is a “botnet” boils down to context of language – a botnet is generally considered as being used for malicious activity, such as DDoSing websites.

A proxy network is considered a nicer way of saying “botnet that doesn’t engage in malicious activity”. However, privacy-concerned users will still have reason to be concerned about their device being used in a proxy network.

So while Treydev Inc. says that the library and his apps weren’t engaged in any data-mining, the fact remains that his app contained a library from Oxylabs, which was adding devices to Oxylabs “proxy network” – without user-knowledge, because Treydev Inc. only disclosed the presence of the library after it was removed from Google Play. Generally speaking, the user should typically be allowed to agree to their device being used in such a way.

While Treydev Inc.’s apps may be back on the Google Play Store, it’s hard to trust developers that give flims

Kamil Anwar
Kamil is a certified MCITP, CCNA (W), CCNA (S) and a former British Computer Society Member with over 9 years of experience Configuring, Deploying and Managing Switches, Firewalls and Domain Controllers also an old-school still active on FreeNode.