Unofficial Copies of Android Support Libraries Being Distributed on JCenter

Last Updated: 9/20/2016

Google has recently discovered that a person or entity has published several unofficial versions of the Android Support Libraries on JCenter. The specific unofficial versions of these artifacts are:

  • com.android.support:animated-vector-drawable (24.0/24.1/24.1.1)
  • com.android.support:appcompat-v7 (24.0/24.1/24.1.1)
  • com.android.support:cardview-v7 (24.0/24.1/24.1.1)
  • com.android.support:customtabs (24.1/24.1.1)
  • com.android.support:design (24.0/24.1/24.1.1)
  • com.android.support:gridlayout-v7 (24.0/24.1/24.1.1)
  • com.android.support:leanback-v7 (24.0/24.1/24.1.1)
  • com.android.support:mediarouter-v7 (24.0/24.1/24.1.1)
  • com.android.support:palette-v7 (24.0/24.1/24.1.1)
  • com.android.support:percent (24.0/24.1/24.1.1)
  • com.android.support:preference-leanback-v7 (24.1/24.1.1)
  • com.android.support:preference-v14 (24.1/24.1.1)
  • com.android.support:preference-v7 (24.1/24.1.1)
  • com.android.support:recommendation (24.1/24.1.1)
  • com.android.support:recyclerview-v7 (24.0/24.1/24.1.1)
  • com.android.support:support-annotations (24.0/24.1/24.1.1)
  • com.android.support:support-compat (24.2)
  • com.android.support:support-core-ui (24.2)
  • com.android.support:support-core-utils (24.2)
  • com.android.support:support-fragment (24.2)
  • com.android.support:support-media-compat (24.2)
  • com.android.support:support-v13 (24.0/24.1/24.1.1)
  • com.android.support:support-v4 (24.0/24.1/24.1.1)
  • com.android.support:support-vector-drawable (24.0/24.1/24.1.1)
  • com.android.support:transition (24.2)

This is a security risk for Android developers who use these libraries as dependencies because Gradle will automatically download them if they are not on the developer’s local m2repository. Developers may unknowingly run code in these libraries, or package them into their apps. This could be a potential code injection security issue.


We have compared the checksums of these libraries with the official versions, and we do not believe they have been altered. We do not believe the unauthorized distribution is malicious so far.


We have worked with JCenter and these unofficial copies of Android Support Libraries have been removed. To protect yourself and your users, we recommend that you do the following:


  1. Use only the official Android Support Libraries. Only use the Android Support Libraries distributed through the Android SDK Manager. You can make sure you have all the official Android Support Libraries versions by making sure that your Android Support Repository is up-to-date. You can check this in Android Studio by going to Tools > Android > SDK Manager, then click on the SDK Tools tab, expand Support Repository, and make sure Android Support Repository is checked.


  1. Clear your Gradle cache. You should delete your Gradle cache in case you have already downloaded one of these unauthorized versions of the libraries. The location of the Gradle cache folder is in the following locations:

    • On Windows: %USER_HOME%.gradle/caches
    • On Mac/Unix: $HOME/.gradle/caches/
We are continuing to work with JCenter to protect the com.android.* and com.google.* namespaces of artifacts, and to prevent similar incidents from happening in the future. We will keep this page up-to-date as we have news to share about this incident, and we will also provide updates through Twitter and the Android Developer Tools Community on G+.
Comments