Google is removing apps reportedly sending data to US intelligence agencies

Ryan Haines/Android Authority

TL;DR

  • Researchers discovered an SDK that sent large amounts of data to a US defense contractor.
  • Google has removed dozens of objectionable apps.
  • Affected apps should be deleted, but may be listed again once the SDK is removed.

Google has removed dozens of apps for collect data and send it to a company affiliated with the US Secret Service.

Malware in the Google Play Store is nothing new, but it is usually the domain of hackers, ransomware gangs, and other bad actors looking for financial gain. According to a new report by The Wall Street Journalthe latest round of malware contains a software development kit (SDK) that reportedly sends data to a defense contractor with ties to US intelligence.

The heart of the operation is the Panamanian company Measurement Systems. Given that Measurement Systems is a little-known company with an even lesser-known SDK that doesn’t add any useful functionality, it paid developers anywhere from $100 to $10,000 or more a month to include it in their software. The SDK has been used in several Muslim prayer apps, a weather app, a speed camera detector app and many more. In total, compromised apps are believed to have been downloaded more than 60 million times.

Continue reading: We asked, you told us: most of you have never experienced malware on Android phones

Measurement Systems told developers that it collects data for internet service providers, energy companies and financial services companies. Interestingly, and coinciding with the connection to US intelligence agencies, the company told developers that it was specifically interested in data from the Middle East, Asia, and Central and Eastern Europe — regions that advertisers typically don’t prioritize because they’re not as wealthy the USA or Western Europe. For example, one of the weather apps has a large user base in Iran, a prime target for US intelligence.

Once active, the SDK collected large amounts of data including exact location, phone number, email address, and nearby devices. The SDK also had full access to the system clipboard, including any passwords stored there. The SDK could also scan parts of the file system, including where WhatsApp downloads and stores files. Researchers don’t believe the SDK can open the files, but it can use a hash algorithm to match them with files of interest. This further supports the assumption that the US Secret Service is behind Measurement Systems, as WhatsApp uses end-to-end encryption and the secret services are always looking for ways to gain as much insight as possible into communications on the platform.

See also: Is WhatsApp safe? How does end-to-end encryption work?

The malware was first discovered by Serge Egelman and Joel Reardon, co-founders of mobile app security company AppCensus. Egelman is also a researcher at the International Computer Science Institute and at the University of California, Berkeley and Reardon at the University of Calgary. The men have described the malware as “the most privacy-invasive SDK they’ve seen in the six years they’ve been investigating mobile apps.”

After Egelman and Reardon informed it of the issue, Google quickly took action and removed offending apps from the Play Store. Interestingly, Measurement Systems’ SDK appears to have stopped collecting data, although Google has done nothing to explain this behavior. It appears that Measurement Systems has disabled functionality on its site. Google has also said apps may be re-listed once developers remove the SDK.

Ultimately, the whole debacle should serve as a warning to developers who might be tempted to accept money for including some random, little-known SDK: if it sounds too good to be true, it probably is.

“This saga continues to underscore the importance of not accepting candy from strangers,” said Mr. Egelman.

Here is a list of known apps that include the SDK. Users should delete these apps immediately and wait for them to be listed again in the Play Store.

  • speed camera radar
  • Al-Moazin Lite (Prayer Times)
  • WiFi Mouse (Remote Control PC)
  • QR and barcode scanner
  • Qibla Compass – Ramadan 2022
  • Simple weather and clock widget
  • Handcent Next SMS – Text with MMS
  • SmartKit 360
  • Al Quarun Mp3 – 50 Reciters & Translation Audio
  • Audiosdroid Audio Studio DAW — Apps on Google Play

Leave a Comment