Google removed tons of Android apps from the Google Play Store for illegally harvesting data.
In a report from The Wall Street Journal, the apps were apparently used by millions and include software like QR scanners, weather apps, highway radar apps, and even prayer apps.
The banned applications reportedly contained a code that can harvest users’ sensitive information like precise location, phone numbers, email, and more.
It’s said that the code was written by Measurement Systems, which has ties to a defense contractor based in Virginia, US, that does things like cyber-intelligence for the US national security agencies. The company has denied the allegations.
The code was uncovered by researchers Serge Egelman of UC Berkeley and Joel Reardon of the University of Calgary. The two showed their findings to Google and federal agencies.
- Beware of malware-ridden flash drives disguised as gifts
- Top 5 most common mobile malware in PH are all Trojans
- How to use your old smartphone, laptop as security camera
- 5 things to do before deleting your Facebook account
- How to get rid of malware from your Android smartphone
It is reported that Measurement Systems paid app developers to include their software development kits (SDKs) in their applications. Other than the monetary compensation, the developers would also be rewarded with detailed information about their users. The SDK was apparently inside the apps that have been downloaded to at least 60 million devices.
According to one of the app developers, they were told that the code was for data-collecting on behalf of internet service providers, financial services, and energy companies. It is also said that the people behind it only wanted data mainly from Central and Eastern Europe, Asia, and the Middle East.
The researchers noted that, despite already removed by Google, such apps are still present on millions of mobile devices. They also revealed that the SDK stopped collecting data after being discovered.
In a statement sent to WSJ, Measurement Systems said: “the allegations you make about the company’s activities are false. Further, we are not aware of any connections between our company and U.S. defense contractors nor are we aware of… a company called Vostrom. We are also unclear about what Packet Forensics is or how it relates to our company.”