The CommonsBlog

Compose GitHub Repositories as Malware Vectors

As part of my work each week preparing the JetC newsletter, I review all of the GitHub repositories that have been updated in the past week and are tagged with jetpack-compose or compose-multiplatform. Not only does this give me material for the newsletter, but it gives me unusual insight into what is being published pertaining to Compose.

In the past month or so, I have noticed repositories that purport to be Compose libraries, but in reality are distributing malware. I have reported a total of five repositories to GitHub and am keeping an eye on others that match the pattern but do not yet have obvious malware.

The pattern is:

  • The repositories share a name and most of the content from existing repositories, but usually replace the home page with a generic one. They are not true GitHub forks, or at least do not show up as such in the GitHub UI, but the repositories share commits with their originating repositories. This helps the attacker appear to be legitimate, as GitHub happily reports the originating author as being a contributor on the attacker’s project.

  • The malware is in the form of a ZIP archive containing a Lua interpreter, an obfuscated Lua script, and a Windows command file to launch the interpreter and run the script.

  • That malware usually is distributed in the Releases area and often is linked to from the modified repository home page.

GitHub has taken down the original two repositories that I reported. The other three I reported yesterday, so hopefully I will get responses from GitHub in a few days.

If you develop using Compose libraries, try to make sure that you are using legitimate projects, not malware-laden clones. If you publish Compose libraries… I do not know if GitHub gives you a way to see what repositories contain your commits, but if it does, you might want to keep an eye on that list and confirm that they are real forks and not vectors for malware.

And, if you are GitHub… it is well past time for you to be implementing malware detection on uploaded ZIP archives. Relying on random balding guys to report malware to you reflects poorly on GitHub and Microsoft.

Dec 14, 2025

10 December 2025 Artifact Wave

Camera and Media3 received updates:

  • androidx.camera:camera-camera2:1.5.2
  • androidx.camera:camera-compose:1.5.2
  • androidx.camera:camera-core:1.5.2
  • androidx.camera:camera-effects:1.5.2
  • androidx.camera:camera-extensions:1.5.2
  • androidx.camera:camera-lifecycle:1.5.2
  • androidx.camera:camera-mlkit-vision:1.5.2
  • androidx.camera:camera-video:1.5.2
  • androidx.camera:camera-view:1.5.2
  • androidx.camera.featurecombinationquery:featurecombinationquery:1.5.2
  • androidx.camera.featurecombinationquery:featurecombinationquery-play-services:1.5.2
  • androidx.camera.viewfinder:viewfinder-compose:1.5.2
  • androidx.camera.viewfinder:viewfinder-core:1.5.2
  • androidx.camera.viewfinder:viewfinder-view:1.5.2
  • androidx.core:core-backported-fixes:1.0.0-rc02
  • androidx.gradle:gradle-version-catalog:2025.12.00
  • androidx.gradle:gradle-version-catalog-alpha:2025.12.00
  • androidx.gradle:gradle-version-catalog-beta:2025.12.00
  • androidx.media3:media3-cast:1.9.0-rc01
  • androidx.media3:media3-common:1.9.0-rc01
  • androidx.media3:media3-common-ktx:1.9.0-rc01
  • androidx.media3:media3-container:1.9.0-rc01
  • androidx.media3:media3-database:1.9.0-rc01
  • androidx.media3:media3-datasource:1.9.0-rc01
  • androidx.media3:media3-datasource-cronet:1.9.0-rc01
  • androidx.media3:media3-datasource-okhttp:1.9.0-rc01
  • androidx.media3:media3-datasource-rtmp:1.9.0-rc01
  • androidx.media3:media3-decoder:1.9.0-rc01
  • androidx.media3:media3-effect:1.9.0-rc01
  • androidx.media3:media3-exoplayer:1.9.0-rc01
  • androidx.media3:media3-exoplayer-dash:1.9.0-rc01
  • androidx.media3:media3-exoplayer-hls:1.9.0-rc01
  • androidx.media3:media3-exoplayer-ima:1.9.0-rc01
  • androidx.media3:media3-exoplayer-midi:1.9.0-rc01
  • androidx.media3:media3-exoplayer-rtsp:1.9.0-rc01
  • androidx.media3:media3-exoplayer-smoothstreaming:1.9.0-rc01
  • androidx.media3:media3-exoplayer-workmanager:1.9.0-rc01
  • androidx.media3:media3-extractor:1.9.0-rc01
  • androidx.media3:media3-inspector:1.9.0-rc01
  • androidx.media3:media3-muxer:1.9.0-rc01
  • androidx.media3:media3-session:1.9.0-rc01
  • androidx.media3:media3-test-utils:1.9.0-rc01
  • androidx.media3:media3-test-utils-robolectric:1.9.0-rc01
  • androidx.media3:media3-transformer:1.9.0-rc01
  • androidx.media3:media3-ui:1.9.0-rc01
  • androidx.media3:media3-ui-compose:1.9.0-rc01
  • androidx.media3:media3-ui-compose-material3:1.9.0-rc01
  • androidx.media3:media3-ui-leanback:1.9.0-rc01

Dec 10, 2025

3 December 2025 Artifact Wave

We got one new artifact group, androidx.webgpu, containing a single androidx.webgpu:webgpu artifact. WebGPU “is intended to supersede the older WebGL as the main graphics standard for the Web”.

We also got three new DataStore artifacts, extending its multiplatform support:

  • androidx.datastore:datastore-core-js
  • androidx.datastore:datastore-core-okio-js
  • androidx.datastore:datastore-preferences-core-js

You can find the rest of the 600+ updated artifacts here!

Dec 03, 2025

RemoteCompose: Cute or Crucial?

A couple of months ago, Google dropped some code for something called RemoteCompose. Google’s Nicolas Roard and John Horford spoke about it at droidcon London; the slides are available. RemoteCompose is in a pre-alpha state at the moment.

In one sense, RemoteCompose is like Glance. Glance uses composables to create app widgets. However, Glance does not support the full lineup of foundation composables; rather, it has its own foundation. That is because Glance composables generate a RemoteViews structure — a binary document that describes a UI and light interaction that can be passed across process boundaries.

Similarly, RemoteCompose has its own set of foundation composables and related tooling. RemoteCompose composables generate a binary document that describes a UI and light interaction that can be passed across process or machine boundaries. So, whereas Glance is mostly aimed at app widgets and some Wear OS elements, RemoteCompose composables could be played on non-Android targets.

The roster of capabilities is impressive. In some parallel universe, RemoteViews got all these capabilities, courtesy of continued Google investment in that bit of technology.

John and Nicolas offer up interesting possibilities for this technology, from the semi-conventional (server-defined UIs) to the mind-blowing (composables delivered via NFC tags or QR codes). I could also see this being used for stuff like Android Auto (phones delivering UI to the dashboard) or Android Automotive (e.g., via a binary document player for an RTOS powering the instrument cluster).

So, it seems slick.

However, this is where I need to raise warning flags. Google’s past is not conducive to this sort of future.

The two technologies that RemoteCompose reminds me most of are Instant Apps and slices. Instant Apps was strategic for Google… until it wasn’t. Developers who invested in Instant Apps got some benefit for a modest period of time, but that’s it. Any firms who relied on Instant Apps got screwed in the end.

Slices are an even closer comparison. While you may not remember slices, they were an API for building a binary document that described a UI and light interaction that could be passed across process or machine boundaries. In practice, Google only advertised cross-process use, but they had code that hinted at cross-machine use. Slices were not simple, but they were far simpler than what needs to go into RemoteCompose. And slices lasted about a year before Google abandoned the initiative, despite slices being promoted at Google I|O and trumpeted in an Android release.

So, before I invest a lot in RemoteCompose beyond cute demos, I will want to see some strong signs that RemoteCompose will be usable in a decade or more, such as:

  • Does JetBrains publicly “get on board” and start pushing RemoteCompose, so RemoteCompose is not dependent entirely upon the whims of Google?

  • Is Google itself becoming reliant upon RemoteCompose for certain products and services outside of the Android team?

  • Does Google publish (and show signs of maintaining) a clear specification for the binary document format?

  • To what extent does Google encourage outside contributions to the document player ecosystem, both to their own players and in creating independent players?

  • Does RemoteCompose show signs of migrating from Google control to control by a semi-independent working group, or even to a standards body?

PDF is a great comparison point. Had it been just the work product of a few Adobe engineers back in the day, it might not have lasted. But Adobe published specifications and eventually transferred control to an ISO committee as part of a standardization effort. Getting to that standardization took nearly two decades, but the specification and (possibly grudging) support of external PDF renderer implementations were signposts indicating that PDF was more than “a flash in the pan”.

I am sorry if I am sounding negative about RemoteCompose. I have been looking forward to something like this for a long time, and it genuinely is exciting to me to see RemoteCompose being worked upon. It’s just that the graveyard is filled with headstones, and savvy developers and firms need to take that into account.

Nov 28, 2025

26 November 2025 Artifact Wave

The highlight is that Media3 is up to 1.9.0-beta01:

  • androidx.gradle:gradle-version-catalog:2025.11.01
  • androidx.gradle:gradle-version-catalog-alpha:2025.11.01
  • androidx.gradle:gradle-version-catalog-beta:2025.11.01
  • androidx.media3:media3-cast:1.9.0-beta01
  • androidx.media3:media3-common:1.9.0-beta01
  • androidx.media3:media3-common-ktx:1.9.0-beta01
  • androidx.media3:media3-container:1.9.0-beta01
  • androidx.media3:media3-database:1.9.0-beta01
  • androidx.media3:media3-datasource:1.9.0-beta01
  • androidx.media3:media3-datasource-cronet:1.9.0-beta01
  • androidx.media3:media3-datasource-okhttp:1.9.0-beta01
  • androidx.media3:media3-datasource-rtmp:1.9.0-beta01
  • androidx.media3:media3-decoder:1.9.0-beta01
  • androidx.media3:media3-effect:1.9.0-beta01
  • androidx.media3:media3-exoplayer:1.9.0-beta01
  • androidx.media3:media3-exoplayer-dash:1.9.0-beta01
  • androidx.media3:media3-exoplayer-hls:1.9.0-beta01
  • androidx.media3:media3-exoplayer-ima:1.9.0-beta01
  • androidx.media3:media3-exoplayer-midi:1.9.0-beta01
  • androidx.media3:media3-exoplayer-rtsp:1.9.0-beta01
  • androidx.media3:media3-exoplayer-smoothstreaming:1.9.0-beta01
  • androidx.media3:media3-exoplayer-workmanager:1.9.0-beta01
  • androidx.media3:media3-extractor:1.9.0-beta01
  • androidx.media3:media3-inspector:1.9.0-beta01
  • androidx.media3:media3-muxer:1.9.0-beta01
  • androidx.media3:media3-session:1.9.0-beta01
  • androidx.media3:media3-test-utils:1.9.0-beta01
  • androidx.media3:media3-test-utils-robolectric:1.9.0-beta01
  • androidx.media3:media3-transformer:1.9.0-beta01
  • androidx.media3:media3-ui:1.9.0-beta01
  • androidx.media3:media3-ui-compose:1.9.0-beta01
  • androidx.media3:media3-ui-compose-material3:1.9.0-beta01
  • androidx.media3:media3-ui-leanback:1.9.0-beta01

Nov 26, 2025

Older Posts

Meta


Creative Commons License