Google has removed dozens of apps from the Google Play Store after finding they were harvesting data from millions of Android phones. The spyware creator, Panama’s Measurement Systems S. de R.L., has been linked with a Virginia defense contractor that has done work for U.S. national-security agencies in the areas of cyberintelligence, network defense and intelligence intercepts. Researchers found the errant code embedded in apps for Muslim prayers, speed-trap detection, QR-code reading and other popular consumer programs that have been downloaded more than 10 million times.
The findings were presented to Google parent Alphabet, the Federal Trade Commission and and The Wall Street Journal, which reports that third-party app developers around the world were paid by Measurement Systems to incorporate its SDK into their apps. This enabled the Panamanian company to surreptitiously harvest data from unsuspecting users.
“Modern apps often include SDKs written by little-known companies like Measurement Systems ‘that aren’t audited or well understood,’” said Serge Egelman, a researcher at UC Berkeley’s International Computer Science Institute and part of the team that discovered the breach.
“The SDK was harvesting a large amount of data about each user — including precise location, personal identifiers such as email and phone numbers as well as data about nearby computers and mobile devices,” WSJ reports, adding that the SDK also had some ability to collect passwords and scan files stored in WhatsApp download folders.
It can “without a doubt be described as malware,” said Egelman, who made the discovery with Joel Reardon of the University of Calgary. The duo co-founded the mobile security firm AppCensus, telling WSJ the Measurement Systems SDK was the most invasive infraction the duo has discovered in their six years of business.
The offending apps were delisted from the Google Play Store on March 25, Google spokesman Scott Westover told WSJ, explaining that they violated the company’s data collection rules. “Google’s action doesn’t impair Measurement System’s ability to collect data from the millions of phones around the world where its software is already installed,” WSJ reports.
Egelman and Reardon “found that the SDK stopped collecting data on its users and unplugged itself shortly after the two men began circulating their findings,” according to the newspaper and that “some are already back in the App Store.”
In other Play Store news, Google has informed Android app developers that beginning November 1, 2022, “it will hide apps and block their installation to users’ devices if developers haven’t kept up with the latest Android OS releases,” according to TechCrunch, which says “apps that don’t target an Android API within two years of the latest major Android release version will no longer be able to be discovered or installed by new users” with devices that run Android OS higher than the apps’ target API.