Google recently pulled 11 apps from Google Play Store after it found out that they were secretly harvesting sensitive user data such as phone numbers, copy-paste data, and email addresses. As per the Wall Street Journal, the apps had been downloaded over 46 million times, and that too from Google Play Store.
It was found that a company in Panama named Measurement Systems had been paying Android app developers to incorporate an SDK (software development kit) into their apps. This SDK was capable of picking up sensitive data from a user’s phone. The company has claimed that it has paid US$ 2.1 million to its partners and also claims that thousands of apps have already used the SDK. The company has alleged ties with a Virginian defense contractor which performs cyber-intelligence for US national-security agencies. Although, it has denied the allegations.
Modus Operandi of How These Apps Harvested Data
As per AppCensus, whenever a user tries to copy and paste something, the data is uploaded to the SDK’s server. AppCensus even added that the SDK is also capable of scouring phone numbers, email addresses, and exact GPS locations as well. What’s even more alarming is the fact, that the SDK can pull unique MAC addresses to the router to which a phone is connected. This way it can expose users’ activities.
The Kind of Apps That Have Used This SDK
Security researchers found that there were apps like QR and bar code scanners, speed trap detectors, weather apps, highway radar apps, and many others. These apps contained code that could harvest user data like email, location, phone number, and more.
What Danger Do Such Apps Pose?
From a normal user’s perspective ponder upon this – Is data harvesting via apps right? Joel Reardon, who discovered this data harvesting code said in this AppCensus research blog that it’s frightening if a database is capable of mapping a user’s phone number and email to their exact GPS location history because then, just based on email address phone number, a user could be targeted. This can be used to target political competitors, journalists, and dissidents.
Don’t you think that such kind of data harvesting also poses threats to normal users as well? Do let us know in the comments section below.
What Should Be Done
1. Look at the screenshot above, if you have installed any of the above apps, make sure you uninstall these right away.
2. If you come across an app that has been in news for all the wrong reasons, first, do not install it and in case you have immediately uninstall it. As in the case of the above apps, Google may have pulled them from the Play Store but if you still have them on your device, you are at risk.
3. Even after you have uninstalled the app, make sure you have an antimalware app on your smartphone that can track any malware that the app has left or track any other malware app that the uninstalled app has installed.
For example, you can install Smart Phone Cleaner from Systweak Software that protects your phone against all kinds of infections and malware attacks.
4. Do check our post on how to spot fake Play Store Apps and how you can steer clear from them. The steps mentioned in this post won’t just help you keep your guard up against those sketchy apps that pretend to be Play Store apps but even those that have been able to intrude on Google Play Store’s defenses.
For all my developer pals out there, immaterial of how lucrative an offer is, would you include an SDK in your app that would compromise the data of users and that would possibly make you lose their trust once your users find out that you are collecting their data? Do mention your views in the comments section below.