Google has removed dozens of malicious apps from its mobile app marketplace, all of which allegedly contained code tied to a contractor employed by US national security agencies.
According to a Wall Street Journal report, the company that wrote the code is called Measurement Systems. The firm is said to have paid developers around the world to embed its software development kit (SDK) in their apps.
The precise number of Android (opens in new tab) apps that carried the malware (opens in new tab) is unclear (there were at least twelve), but according to the researchers responsible for the discovery the apps were downloaded at least 60 million times in total.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
>> Click here to start the survey in a new window (opens in new tab) <<
Targeting the Middle East
Google has now removed the compromised apps from the Play Store, but they remain active and are still gathering data. The apps include a number of Muslim prayer apps (with more than 10 million downloads), highway-speed-trap detection apps, QR-code reading apps and other “popular consumer apps”.
Allegedly, Measurement Systems told developers they wanted data from users in the Middle East, Central and Eastern Europe and Asia.
Some of the offending apps have already been permitted to return to Google Play listings after removing the controversial code.
According to Serge Egelman and Joel Reardon, the researchers behind the discovery, the findings represent “the most privacy-invasive SDK they have seen in the six years they have been examining mobile apps”.
> Beware Android users - These 23 apps may be spying on you (opens in new tab)
> Some of the most basic Android apps might be spying on you more than you'd think (opens in new tab)
> Meta cracks down on mysterious companies spying on Facebook users (opens in new tab)
The SDK was gathering all kinds of data, from the precise location of the endpoints, to email addresses, phone numbers, and data on nearby personal devices. The device clipboard was also monitored, meaning whoever coped and pasted their passwords on the mobile device was at risk.
According to the researchers, the type of data harvested is highly unusual, as consumer data brokers typically steer clear from data that is protected by privacy laws.
- Keep your devices safe from ransomware with the best ransomware protection services right now (opens in new tab)
Via Wall Street Journal (opens in new tab)