com.google.GoogleMobile

GoogleMobile is Google+ for Android (http://www.google.com/mobile/+/)

That doesn't exempt it from being faked, just that the UA is known. If the IP is from a server farm, then it may well be a fake. If the IP is from an ISP, it is likely a human.

Thanks, keyplyr. Ok, I won't nuke it.

Showed up suddenly in logs starting a couple of days ago (20 February):

aa.bb.cc.dd - - [20/Feb/2017:08:26:02 -0800] "GET /blahblah.jpg HTTP/1.1" 200 376 "-" "com.google.GoogleMobile/23.0.0 iPhone/10.2.1 hw/iPhone7_2"
aa.bb.cc.dd - - [21/Feb/2017:16:34:18 -0800] "GET /blahblah.png HTTP/1.1" 200 70652 "-" "com.google.GoogleMobile/23.0.0 iPad/10.2 hw/iPad4_1"
aa.bb.cc.dd - - [22/Feb/2017:03:19:18 -0800] "GET /rats/images/TheCage.jpg HTTP/1.1" 200 376 "-" "com.google.GoogleMobile/23.0.0 iPad/9.3.5 hw/iPad2_7"
aa.bb.cc.dd - - [22/Feb/2017:12:37:46 -0800] "GET /blahblah.jpg HTTP/1.1" 200 346 "-" "com.google.GoogleMobile/23.0.0 iPad/9.3.5 hw/iPad2_4"
aa.bb.cc.dd - - [22/Feb/2017:13:03:02 -0800] "GET /blahblah.jpg HTTP/1.1" 200 36597 "-" "com.google.GoogleMobile/23.0.0 iPhone/10.2.1 hw/iPhone9_3"
aa.bb.cc.dd - - [22/Feb/2017:13:08:28 -0800] "GET /blahblah.png HTTP/1.1" 200 22289 "-" "com.google.GoogleMobile/23.0.0 iPhone/10.1.1 hw/iPhone7_2"
aa.bb.cc.dd - - [23/Feb/2017:02:00:17 -0800] "GET /blahblah.jpg HTTP/1.1" 200 94470 "-" "com.google.GoogleMobile/23.0.0 iPad/10.2.1 hw/iPad3_4"

All from different human IPs; the ones I checked are all English-speaking countries. All requests are for image files which I've redacted to "blahblah". I think they're coming from a mobile image search; the ones with extremely small filesizes were rewritten to onedot.gif (and the ones that weren't--probably should be if this keeps up).

Is this a new UA connected with the Google app for mobiles?

---

[edited by: keyplyr at 10:33 am (utc) on Feb 24, 2017]
[edit reason] splice clean-up [/edit]

Yes, Mine started on Feb 19 and have been consistent everyday. They download a single image each. I tried a google search but came up goose eggs, so cannot positively verify that it is Google+ for Android. keyplr said so. I have my SetEnvIf ready to be uncommented...

If this UA is from Google you won't see any from China, as Google, Google+ and its Play Store are banned there.

GoogleMobile is Google+ for Android

Hence the consistent iOS in the UAs?

:: scratching head in puzzlement ::

I did not see that. Why did I not notice that?!? Ban.

Ban.

I'm just going to expand my existing rewrite for mobile searches. Few things are less server-intensive than rewriting to a single-pixel gif.

Hence the consistent iOS in the UAs?

Some Android apps use iOS in the UA string. This is likely because iOS was the first platform apps were developed for, so to get past possible filters, some developers just included it; kinda like browsers all using Mozilla and Android phone UAs containing Safari.

However, that point in itself doesn't validate your visits as human. These UAs could be faked.

I've seen a few botnets lately using IP addresses from compromised ISP accounts spoofing common UAs.

I'm just going to expand my existing rewrite for mobile searches.

Hi Lucy, can you please explain this? It might be a new technique for me.

It might be a new technique for me.

Here are two rules I either have or used to have (digging through old htaccess files):

RewriteCond %{HTTP_REFERER} blank\.html [OR]
RewriteCond %{HTTP_USER_AGENT} ^rarely\ used$
RewriteRule \.(jpe?g|gif|png)$ /pictures/smallgifs/onedot.gif [L]

and

RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{HTTP_USER_AGENT} iP([oa]d|hone)|Darwin|Dalvik
RewriteRule \.(jpe?g|gif|png)$ /pictures/smallgifs/onedot.gif [L]

Exact RewriteCond can be varied to taste; just make sure you don't inadvertently exclude legitimate search engines. (Intentionally excluding them is, of course, your own choice.)

This is preceded by a rule that says simply

RewriteRule ^pictures/(hotlink|smallgifs/onedot) - [L]

analogous to the rule that puts an [L] on any custom 403 pages.

Although the rules end in [L] they should be located in the same area as RewriteRules ending in [F], since that is their purpose. The file onedot.gif weighs in at 43 bytes, so I guess the rest of the 376 is overhead.

Thanks Lucy,

RewriteRule ^pictures/(hotlink|smallgifs/onedot) - [L]

RewriteCond %{HTTP_REFERER} condition1 [OR]
RewriteCond %{HTTP_USER_AGENT} condition2
RewriteRule \.(jpe?g|gif|png)$ /pictures/smallgifs/onedot.gif [L]

I understand the second section: meet a condition, serve up your single pixel image, stop processing. Why do you need the first condition, as it looks repetitive?

"iP([oa]d|hone)" is some nice regex! I like it.

Looks like the iPhone version has the same attribute: com.google.GoogleMobile

@TorontoBoy - you asked & lucy24 replied but future discussion concerning htaccess code shoud be done in the Apache forum [webmasterworld.com].

That's where we discuss code technique.This forum is for UA identification.

Thanks

So I've been seeing this UA in the logs of several different sites & have been observing its behavior, much like reported above.

While com.google.GoogleMobile does represent the Google app family, there is another Google app that is ported called Photos. It's a gallery app used to retrieve photos and post to Google+.

However I don't see this behavior as legit, not at this high request rate. I suspect these IPs are compromised and either using this app to scraped image files, or it is some other HTTP client faking the UA.

Hopefully the hits will die off. I'm currently blocking the UA since I've not seen it before in any legit use.

I've rooted many android phones and am familiar with all Google apps. Of course Google makes it really difficult to extricate itself from Android. The hidden and protected Android app Google Play is actually called com.google.android.gms-1.apk or com.google.android.gms-2.apk, and is the heart of the Google software ecosystem. This has been a long-standing naming convention, and is common in Java.

Traffic from this UA is not abating, but increasing, even when I return 403s. It looks just like a scraper bot. I have not checked the IPs for origin.

Legit Googlebot crawlers: [support.google.com...]

minimal.iOS (https://github.com/colbyfayock/minimal.iOS.7) is an addon to the IOS Winterboard theme. It contains a lockscreen and a huge number of icons. One of those icon sets is called com.google.GoogleMobile. The icon set contains variations of a blue box with a serif lowercase "g" in white.

This github repository has nothing to do with a bot.

Stopped abruptly