Google banned dozens of apps from the Google Play store after discovering that they were secretly harvesting data, The Wall Street Journal reports. According to WSJ, the Panama-based company Measurement Systems S. de R.L. wrote the code that appeared in those apps. That code linked back to a US defense contractor “that does cyberintelligence, network-defense and intelligence-intercept work for U.S. national-security agencies.”
Google banned data-harvesting Android apps
Security researchers Serge Egelman and Joel Reardon, the co-founders of a company called AppCensus, say they discovered the code last fall. They reported their findings to Google on October 20th, 2021, as well as a list of apps containing the code.
The code reportedly ran on millions of Android devices before Google banned the apps on March 25th. Several Muslim prayer apps are on the list, one of which was downloaded over 10 million times. Other affected apps included a speed camera tracker, a weather and clock widget, and an app that turns your phone into a wireless mouse.
Here’s a list of the most popular affected apps, in case you want to check your devices:
- Speed Camera Radar
- Al-Moazin Lite (Prayer Times)
- WiFi Mouse(remote control PC)
- QR & Barcode Scanner
- Qibla Compass – Ramadan 2022
- Simple weather & clock widget
- Handcent Next SMS-Text w/ MMS
- Smart Kit 360
- Al Quran Mp3 – 50 Reciters & Translation Audio
- Full Quran MP3 – 50+ Languages & Translation Audio
- Audiosdroid Audio Studio DAW
If you have any of these apps on your Android devices, delete them right away.
What were the apps harvesting?
The report goes on to catalog the data these apps were able to harvest. The Measurement Systems SDK gathered precise location data, email addresses, phone numbers, and details about connected devices nearby. It could also collect data stored in the phone’s clipboard, which might include passwords when using copy-and-paste. The SDK can scan parts of a phone’s file system as well, including files stored in the WhatsApp download folder.
“The thought that this data collector could have built a database mapping someone’s actual email and phone number to their precise GPS location history is particularly frightening, as such a database could be used to run a service to look up a person’s location history just by knowing their phone number or email, and could be used to target journalists, dissidents, or political rivals,” Reardon wrote in a blog post on the AppCensus website.
The Wall Street Journal reports that Google removed the apps from its app store on March 25th. Google spokesman Scott Westover told the publication that the apps can be relisted after removing the software, and some are already back on Google Play now.