com.google.GoogleMobile

Forum Moderators: open

Message Too Old, No Replies

com.google.GoogleMobile

TorontoBoy

12:44 pm on Feb 19, 2017 (gmt 0)

com.google.GoogleMobile/23.0.0 iPad/10.2.1 hw/iPad4_5
com.google.GoogleMobile/23.0.0 iPhone/10.2.1 hw/iPhone7_2

This UA is visiting me more frequently. I tried to google it but come up empty. Apps for Android devices are denoted by com.google.android, so the GoogleMobile seems incorrect and therefore fake.

Both have variations n the end of the UA, such as hw/iPad5_3, hw/iPhone7_1

Does anyone know who/what this is?

lucy24

6:35 pm on Feb 23, 2017 (gmt 0)

Showed up suddenly in logs starting a couple of days ago (20 February):

aa.bb.cc.dd - - [20/Feb/2017:08:26:02 -0800] "GET /blahblah.jpg HTTP/1.1" 200 376 "-" "com.google.GoogleMobile/23.0.0 iPhone/10.2.1 hw/iPhone7_2"
aa.bb.cc.dd - - [21/Feb/2017:16:34:18 -0800] "GET /blahblah.png HTTP/1.1" 200 70652 "-" "com.google.GoogleMobile/23.0.0 iPad/10.2 hw/iPad4_1"
aa.bb.cc.dd - - [22/Feb/2017:03:19:18 -0800] "GET /rats/images/TheCage.jpg HTTP/1.1" 200 376 "-" "com.google.GoogleMobile/23.0.0 iPad/9.3.5 hw/iPad2_7"
aa.bb.cc.dd - - [22/Feb/2017:12:37:46 -0800] "GET /blahblah.jpg HTTP/1.1" 200 346 "-" "com.google.GoogleMobile/23.0.0 iPad/9.3.5 hw/iPad2_4"
aa.bb.cc.dd - - [22/Feb/2017:13:03:02 -0800] "GET /blahblah.jpg HTTP/1.1" 200 36597 "-" "com.google.GoogleMobile/23.0.0 iPhone/10.2.1 hw/iPhone9_3"
aa.bb.cc.dd - - [22/Feb/2017:13:08:28 -0800] "GET /blahblah.png HTTP/1.1" 200 22289 "-" "com.google.GoogleMobile/23.0.0 iPhone/10.1.1 hw/iPhone7_2"
aa.bb.cc.dd - - [23/Feb/2017:02:00:17 -0800] "GET /blahblah.jpg HTTP/1.1" 200 94470 "-" "com.google.GoogleMobile/23.0.0 iPad/10.2.1 hw/iPad3_4"

All from different human IPs; the ones I checked are all English-speaking countries. All requests are for image files which I've redacted to "blahblah". I think they're coming from a mobile image search; the ones with extremely small filesizes were rewritten to onedot.gif (and the ones that weren't--probably should be if this keeps up).

Is this a new UA connected with the Google app for mobiles?

---

[edited by: keyplyr at 10:33 am (utc) on Feb 24, 2017]
[edit reason] splice clean-up [/edit]

TorontoBoy

7:51 pm on Feb 23, 2017 (gmt 0)

Yes, Mine started on Feb 19 and have been consistent everyday. They download a single image each. I tried a google search but came up goose eggs, so cannot positively verify that it is Google+ for Android. keyplr said so. I have my SetEnvIf ready to be uncommented...

If this UA is from Google you won't see any from China, as Google, Google+ and its Play Store are banned there.

lucy24

9:37 pm on Feb 23, 2017 (gmt 0)

GoogleMobile is Google+ for Android

Hence the consistent iOS in the UAs?

:: scratching head in puzzlement ::

TorontoBoy

10:45 pm on Feb 23, 2017 (gmt 0)

I did not see that. Why did I not notice that?!? Ban.

lucy24

5:04 am on Feb 24, 2017 (gmt 0)

Ban.

I'm just going to expand my existing rewrite for mobile searches. Few things are less server-intensive than rewriting to a single-pixel gif.

keyplyr

8:55 am on Feb 24, 2017 (gmt 0)

Hence the consistent iOS in the UAs?

Some Android apps use iOS in the UA string. This is likely because iOS was the first platform apps were developed for, so to get past possible filters, some developers just included it; kinda like browsers all using Mozilla and Android phone UAs containing Safari.

However, that point in itself doesn't validate your visits as human. These UAs could be faked.

I've seen a few botnets lately using IP addresses from compromised ISP accounts spoofing common UAs.

TorontoBoy

1:19 pm on Feb 24, 2017 (gmt 0)

I'm just going to expand my existing rewrite for mobile searches.

Hi Lucy, can you please explain this? It might be a new technique for me.

lucy24

9:18 pm on Feb 24, 2017 (gmt 0)

It might be a new technique for me.

Here are two rules I either have or used to have (digging through old htaccess files):

RewriteCond %{HTTP_REFERER} blank\.html [OR]
RewriteCond %{HTTP_USER_AGENT} ^rarely\ used$
RewriteRule \.(jpe?g|gif|png)$ /pictures/smallgifs/onedot.gif [L]

and

RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{HTTP_USER_AGENT} iP([oa]d|hone)|Darwin|Dalvik
RewriteRule \.(jpe?g|gif|png)$ /pictures/smallgifs/onedot.gif [L]

Exact RewriteCond can be varied to taste; just make sure you don't inadvertently exclude legitimate search engines. (Intentionally excluding them is, of course, your own choice.)

This is preceded by a rule that says simply

RewriteRule ^pictures/(hotlink|smallgifs/onedot) - [L]

analogous to the rule that puts an [L] on any custom 403 pages.

Although the rules end in [L] they should be located in the same area as RewriteRules ending in [F], since that is their purpose. The file onedot.gif weighs in at 43 bytes, so I guess the rest of the 376 is overhead.

TorontoBoy

3:15 am on Feb 25, 2017 (gmt 0)

Thanks Lucy,

RewriteRule ^pictures/(hotlink|smallgifs/onedot) - [L]

RewriteCond %{HTTP_REFERER} condition1 [OR]
RewriteCond %{HTTP_USER_AGENT} condition2
RewriteRule \.(jpe?g|gif|png)$ /pictures/smallgifs/onedot.gif [L]

I understand the second section: meet a condition, serve up your single pixel image, stop processing. Why do you need the first condition, as it looks repetitive?

"iP([oa]d|hone)" is some nice regex! I like it.

keyplyr

3:25 am on Feb 25, 2017 (gmt 0)

Looks like the iPhone version has the same attribute: com.google.GoogleMobile

@TorontoBoy - you asked & lucy24 replied but future discussion concerning htaccess code shoud be done in the Apache forum [webmasterworld.com].

That's where we discuss code technique.This forum is for UA identification.

Thanks

keyplyr

9:42 am on Mar 2, 2017 (gmt 0)

So I've been seeing this UA in the logs of several different sites & have been observing its behavior, much like reported above.

While com.google.GoogleMobile does represent the Google app family, there is another Google app that is ported called Photos. It's a gallery app used to retrieve photos and post to Google+.

However I don't see this behavior as legit, not at this high request rate. I suspect these IPs are compromised and either using this app to scraped image files, or it is some other HTTP client faking the UA.

Hopefully the hits will die off. I'm currently blocking the UA since I've not seen it before in any legit use.

TorontoBoy

5:45 pm on Mar 2, 2017 (gmt 0)

I've rooted many android phones and am familiar with all Google apps. Of course Google makes it really difficult to extricate itself from Android. The hidden and protected Android app Google Play is actually called com.google.android.gms-1.apk or com.google.android.gms-2.apk, and is the heart of the Google software ecosystem. This has been a long-standing naming convention, and is common in Java.

Traffic from this UA is not abating, but increasing, even when I return 403s. It looks just like a scraper bot. I have not checked the IPs for origin.

Legit Googlebot crawlers: [support.google.com...]

TorontoBoy

5:59 pm on Mar 2, 2017 (gmt 0)

minimal.iOS (https://github.com/colbyfayock/minimal.iOS.7) is an addon to the IOS Winterboard theme. It contains a lockscreen and a huge number of icons. One of those icon sets is called com.google.GoogleMobile. The icon set contains variations of a blue box with a serif lowercase "g" in white.

This github repository has nothing to do with a bot.

keyplyr

1:26 am on Mar 3, 2017 (gmt 0)

Stopped abruptly