Among them Muslim prayer apps with 10 million-plus downloads, a barcode scanner, and a clock, were kicked out of the Play Store after researchers discovered secret data-harvesting code hidden within them. The code was created by a company linked to a Virginia defense contractor, which paid developers to incorporate its code into their apps to steal users' data.
Researchers came across a piece of code that had been implanted in multiple apps that was being used to steal data from devices. One researcher said that the code, a software development kit, could be described as a type of malicious software.
For the most part, the apps in question seem to have served basic, repetitive functions, the sort that a person might download and then forget about. Researchers revealed that the programs that were embedded onto the user's phone harvest important data points about the device and its users.
The Wall Street Journal reported that the weird, intrusive code was discovered by a pair of researchers, Serge Egelman andJoel Reardon, who co-founded an organization called AppCensus, which audits mobile apps for user privacy and security. In a post on their findings, Reardon writes that AppCensus reached out to Google in October of 2021. The Journal reports that the apps were not removed from the Play store until March 25. All apps on the Play Store must comply with the policies of the company, regardless of the developer. We take appropriate action when we determine an app violates the policies.
One of the apps was instructed by the SDK to collect a user's phone number, email address, and other data if they downloaded it. A suite of Muslim prayer apps, including Al Moazin and Qibla compass, were downloaded 10 million times. A weather and clock app with over one million downloads sucked up the same amount of data at the command. More than 60 million downloads were racked up by the apps that could determine users' locations.
A database that maps someone's email and phone number to their precise location history is frightening, as it could easily be used to run a service to look up a person's location history.
Who is behind this? Measurement Systems is a company registered in Panama. Measurement Systems was actually registered by a company with ties to the national defense industry, according to a report by researchers. Vostrom contracts with the federal government through a subsidiary firm called Packet Forensics, which is said to specialize in cyberintelligence and network defense for federal agencies.
According to the app developers, Management Systems paid them to implant its SDK into their apps, which allowed the company to collect data from device users. The company asked developers to sign non-disclosure agreements. According to the documents viewed by the Journal, the company wanted data on users who were based in the Middle East, Central and Eastern Europe and Asia.
After the Journal's story dropped, data researchers on social media pointed out that the defense industry has a long, problematic relationship with the data brokerage industry.
A full list of the apps that were found to contain the code can be found at the AppCensus website.
All Rights Reserved © 2024
