How does the Facebook Android App install Facebook Messenger?

Question

I was very surprised when I found out that the Facebook app on Android apparently is able to install the Facebook Messenger app without asking for permission.

I'm aware that it is possible to install an app via another app, but the user needs to confirm the installation via a system dialog. In addition to that, on newer Android versions the user needs to give the "install from unknown sources" permission to the app that tries to make install requests.

Yet, i have not granted Facebook any install permission and there was no sysyem level dialog asking me to confirm the installation. I have also made sure that Messenger wasn't already installed before.

Im using a Poco F2 Pro running Android 10 (Miui 12). I observed the same behaviour on different devices. What kind of magic is used by Facebook here?

Answer 1

If you allow it to install, and check the app settings for messenger afterwards, you'll most likely (depending on version and device) see at the very bottom what app installed it. On my devices, it says something like this:

Now this is key: Notice that it's not saying Google Play, nor Facebook itself. It mentions "Facebook App Installer".

So what is this? Well, go into Settings > Apps to look for it. More than likely, you'll find 2 apps here; "Facebook App Installer" (com.facebook.system), and "Facebook App Manager" (com.facebook.appmanager).

Now, it seems that these two apps come preinstalled on a lot of android devices (most?), and they are responsible for installing updates to the Facebook and Facebook messenger app. I haven't decompiled these and dug into them just yet, but the fact that "Facebook App Installer" is listed as the installer of all Facebook related apps, and the fact that Facebook App Installer comes preinstalled should tell you all you need to know to answer the question here of how Facebook circumvents the permission requests to install messenger.

For the sake of completeness I'll also mention

• Neither of these two apps are mentioned in "Install unknown apps" (Settings > Apps > Special access > Install unknown apps).
• Facebook App Installer doesn't have any "dangerous" permissions listed in it's app settings. The only permission listed is "retrieve running apps".
• Facebook App Manager also does not have any "dangerous" permissions listed in it's app settings. It does have some permissions that aren't marked as dangerous. Namely: View network connections, prevent phone from sleeping, measure app storage space, run foreground service, run at startup, have full network access, download files without notification, view Wi-Fi connections. Nothing really surprising here.

So to summarize. There's preinstalled apps on your phone. All things related to Facebook are installed and managed through these two apps instead of through the usual channels.

---

Due to the nature of Facebook there's quite a bit of speculation and hearsay essentially accusing these apps of data-collection on devices and other various nefarious purposes.

Searching for these didn't really give me a lot of information: But they are nonetheless discussed on the following links. Please note that most of these links link to community content, and so they tend to contain a lot of Facebook paranoia and sensationalism.

https://www.facebook.com/help/android-app/812681095504818 This link is facebooks own help-page that briefly mentions these apps in passing in describing how to disable facebook app updates.

https://support.google.com/android/thread/25263840?hl=en It's also mentioned briefly here, on a support thread on Google Community Android Help.

https://forum.xda-developers.com/tmobile-lg-v10/help/suspicious-apps-apps-section-facebook-t3415876 Briefly talks about how to remove (seems you must root your phone to truly get rid of this). It also links to https://www.theregister.com/2018/05/22/facebook_data_leak_no_account/ which seems to speculate that these two apps collect data from device even when the Facebook app (and messenger) isn't installed on device. Meanwhile https://thenextweb.com/finance/2019/01/09/no-samsung-isnt-pre-installing-facebook-on-your-phone/ says the reverse thing; that these two apps does not collect any information on their own.

Answer 2

You can add more than one shortcut for a single APK to the application draw using the manifest file. I imagine Facebook have used this to spoof that there are two applications.

    <activity android:name=".FacebookActiviy">
        <intent-filter>
            <action android:name="android.intent.action.MAIN" />

            <category android:name="android.intent.category.LAUNCHER" />
        </intent-filter>
    </activity>
    <activity android:name=".FacebookMessengerActivity">
        <intent-filter>
            <action android:name="android.intent.action.MAIN" />

            <category android:name="android.intent.category.LAUNCHER" />
        </intent-filter>
    </activity>

Are there two APKs on the device, or just one? You can see the full list of actual APKs using ADB:

adb shell pm list packages -f

This will probably display a lot (maybe 100 or so) apps, but you can search the results for Facebook to see how many APKs they've actually installed. If I'm correct there will only be one.