The apps take users’ precise location, email, phone numbers, and more, the researchers said.
According to The Wall Street Journal, Google has removed dozens of apps used by millions of users after discovering that they were secretly harvesting data. Researchers discovered code in weather apps, highway radar apps, QR scanners, prayer apps, and other apps that could harvest a user’s precise location, email, phone numbers, and other information. It was created by Measurement Systems, a company that is reportedly linked to a Virginia defense contractor that specializes in cyber-intelligence and other services for US national-security agencies. The allegations have been denied by the company.
- Google is putting its new Privacy Sandbox settings in Chrome to the test.
- Google will begin testing alternatives to its Play Store billing system with Spotify.
The code was discovered by researchers Serge Egelman of UC Berkeley and Joel Reardon of the University of Calgary, who reported their findings to federal regulators and Google. Egelman told the WSJ that it can “without a doubt be described as malware.”
Measurement Systems reportedly paid developers to add their software development kits (SDKs) to apps. The developers would not only be paid, but receive detailed information about their user base. The SDK was present on apps downloaded to at least 60 million mobile devices. One app developer said it was told that the code was collecting data on behalf of ISPs along with financial service and energy companies. Measurement Systems also said it wanted data mainly from the Middle East, Central and Eastern Europe and Asia.
“A database mapping someone’s actual email and phone number to their precise GPS location history is particularly frightening, as it could easily be used to run a service to look up a person’s location history just by knowing their phone number or email, which could be used to target journalists, dissidents, or political rivals,” Reardon said in the AppCensus research blog.
Though Google has pulled those apps from the Play Store, the researchers noted that they still exist on millions of devices. At the same time, they found that the SDK stopped collecting user data after their findings were revealed.
The Measurement Systems domain was registered by a company called Volstrom Holdings Inc., which deals with the federal government through a subsidiary called Packet Forensics LLC. A company called Measurement Systems S de R.L. “also listed two holding companies as officers, both of which share a Sterling, Va., address with people affiliated with Volstrom,” the WSJ noted.
In a statement, Measurement Systems told the WSJ by email that “the allegations you make about the company’s activities are false. Further, we are not aware of any connections between our company and U.S. defense contractors nor are we aware of… a company called Vostrom. We are also unclear about what Packet Forensics is or how it relates to our company.”
