Recently, Google booted more than a dozen applications from its Play Store which supposedly had a software used to harvest data. Among these were Muslim prayer apps with downloads of more than 10 million, a barcode scanner and a clock. This was following researchers finding out secret data-harvesting code hidden within these apps. Moreover, this secret code was designed by a firm connected to a Virginia defence contractor. Which, in turn, paid developers to integrate its code into apps to steal data of users.
While researching, researchers noticed an aspect of code that was implanted in various apps use to steal away personal identifiers along with data from devices. This software development kit (SDK) which was the code was essentially a malware. Mostly, the apps involved apparently only served simple, repetitive functions. But, once implanted into one’s device, the programs integrated with the code harvested crucial data points regarding the device and its user.
The first few reports of the news mentioned how weird, invasive code was found out by researchers Joel Reardon and Serge Egelman, who co-founded AppCensus. Reardon mentioned in a blog post how AppCensus reached out Google regarding their findings last year. However, the apps were not fully banned from the store until last month.
Google issued a statement in response: “All apps on Google Play must comply with our policies, regardless of the developer. When we determine an app violates these policies, we take appropriate action.”
Notably, one of these was a QR and barcode scanner was instructed by the code collect information like IMEI, GPS data, phone number, etc when downloaded. Additionally, a group of Muslim prayer apps including Al Moazin and Qibla Compass, similarly stole IMEI, router informations and phone number. Moreover, a weather and clock widget also fed on a similar amount of data at SDK’s command. All these apps were downloaded more than tens of millions of times. Reardon explained in his post how such a database taking someones’ email, phone number and location is rather scary for it could be used to look up one’s exact location. Such a system could be used as a disadvantage forG journalists, dissidents or political rivals.
Turns out, a company registered in Panama- Measurement Systems is behind this. The researchers mentioned that the company was actually registered by a company based in Virginia called Vostrom Holdings. This company, in turn, contracts federal governments through a subsidiary organisation called Packet Forensics. App developers claimed that Management Systems paid them to put in their SDK into the apps allowing them to “surreptitiously collect data” from users. Moreover, some even claimed that the company directed them to sign non-disclosure agreements.
Once again, researchers caught a data broker tied to US national security harvesting extensive personal information including precise location via weather apps, QR readers, speed-trap detectors and Muslim prayer apps installed on >60m Android smartphones:https://t.co/gELGGRHbrc
— Wolfie Christl (@WolfieChristl) April 6, 2022