Oh? Maybe you could comment on what part of the f-droid article is wrong

>If you are running Android 8 or higher, a virus has been installed on your device and is silently awaiting remote activation.

I have such a phone and the "virus" has not been installed to it. There is no evidence behind this claim.

>with as many as 4 billion Android handsets and tablets estimated to have already been contaminated

This is misleading wording. It's just as true to say that as many as 1 trillion devices have been contaminated. It is state an impossible upper bound to drum up fear.

>this trojan horse runs surreptitiously in the background as a system service with full root privileges

Services in Android do not run with root privileges. Android practices the principal of least privilege where individual permissions are granted instead of giving it blanket access to everything.

>The service cannot be blocked, disabled, or removed.

This is unlikely to be true. You can most likely use "am" to disable it.

>In fact, Play Protect is itself the vector through which this virus is transmitted and installed.

This is probably false. Realistically it's going to be transmitted via the google play store like all other play service components.

>There are many things we don’t know about what to expect on September 30

>What will happen if I try to install or launch the F-Droid app?

Once active if FDroid not verified the user has to use adb or have enabled sideloading by unverified developers. If it's already installed the user can launch it.

>What will happen to all the apps I’ve installed through F-Droid? Will they be disabled? Deleted?

Nothing will happen to them.

>If apps that I rely on are suddenly disappeared, what happens to the data they contain? Can I still retrieve it?

Nothing will happen. But if Play Protect were to flag malware it manually asks you if you want to delete the app. If you delete the app the data will be lost.

Thanks, I appreciate the elaborate response.

If you can just disable it with the activity manager or similar, I don't think Google would provide another workaround with a wait time and everything - and that only after a lot of public pressure. It's claimed to be a security feature against scams, and scammers can theoretically let you open up an adb shell and run an am command, so that would negate the safety. (That this never happens in practice imo demonstrates that it's just about ecosystem control and not actually for user safety.)

I agree on the root thing though. I don't have a device here that has this service running so I can't check the process permissions for myself, but it seems extremely doubtful that it runs as uid 0. Fdroid could have dumbed the technical permission level down in more accurate way

How do you know nothing will happen to already-installed apps and their data, when the user hasn't had time yet to go through the annoyance unlock procedure?

>and scammers can theoretically let you open up an adb shell and run an am command

It requires a lot more steps to do this. Finding another computer, installing Android dev tools, finding a cable to connect them. In reality this adds a lot of friction.

>How do you know nothing will happen to already-installed apps and their data, when the user hasn't had time yet to go through the annoyance unlock procedure?

Extrapolation based off how play services has handled things so far and how Google has explained what will happen. Of course without looking at the actual code I can't say for 100% certainty, but from my perspective fdroid is fear mongering here as there is no evidence that supports this viewpoint. If they had evidence to back these dramatic claims up I would be less critical on them.