Early this week, data shared with The Wall Street Journal showed millions of android users downloaded apps that covertly collected sensitive data. According to the Android Police, this data could have included users’ emails, phone numbers, and locations. The spyware even showed the potential to map out who users physically spent time with each day.
The WSJ reported that a Panamanian-based company, Measurement Systems S. de R.L., which has connections to a Virginia cyberdefense contractor, was allegedly responsible for the infringing privacy code.
Measurement Systems reportedly offered monetary compensation for app creators to embed its code, called a software development kit (SDK), into various apps.
While performing audits on android apps, two researchers, Serge Egelman and Joel Reardon, detected the malicious code. They shared their findings with Google, a division of Alphabet Inc., the WSJ, and federal privacy regulators.
The SDK was found in dozens of commonly used apps, such as a Muslim prayer app, a Q.R. scanner, and an app that detects highway speed traps.
App developers are willing to embed SDKs into their app codes to secure income. However, the unfortunate side effect of developers allowing this is that little is known about companies that develop SDKs.
Egelman and Reardon, who also founded a company called App Census, stated that this particular SDK was one of the most privacy-invasive SDKs they had seen in over six years of research. Egelman described it as an undoubted form of malware.
After Egelman and Reardon shared their findings with Google, the company launched an investigation and pulled the affected apps on March 25, 2022.
Google spokesman Scott Westover stated that the apps were pulled for violating privacy guidelines set forth by the Google corporation and could be added back to the play store if the SDK was removed. Since then, some apps have returned with the malicious code erased.
However, while Google removed the affected apps from the play store, that does not prevent the SDK’s creator from gathering information from apps that were not deleted and reinstalled following the ban. Egelman and Reardon noted that the SDK unplugged itself and stopped collecting data shortly after the researchers went public with their information.
The official number of mobile devices affected by the SDK is unknown, but it is upwards of 60 million. Google declined to comment on how many apps were affected or which ones they were.
Documents reviewed by the WSJ allegedly show that Measurement Systems expressed that they wanted to collect data from Middle Eastern, Central and Eastern European, and Asian countries. The app developers who embedded the SDKs claimed they were asked to sign a non-disclosure agreement.
The implications of Measurement Systems’ SDK being able to pinpoint location could have severe consequences if used against specific people such as journalists or political personalities.
Measurement Systems also allegedly worked with the U.S. government defense department.
According to the WSJ, the Department of Defense has previously said it buys data from commercial providers to analyze potential threats to national security but declined to specify what the data offered or how it was used.
Measurement Systems responded to the privacy infringement claims in an email to the WSJ, saying, “The allegations you make about the company’s activities are false. Further, we are not aware of any connections between our company and U.S. defense contractors.”