Google Play pulls dozens of apps that collected personal data from millions of Android users

(Image credit: Future)

Google has removed dozens of malicious apps from its mobile app marketplace, all of which allegedly contained code tied to a contractor employed by US national security agencies.

According to a Wall Street Journal report, the company that wrote the code is called Measurement Systems. The firm is said to have paid developers around the world to embed its software development kit (SDK) in their apps. 

The precise number of Android apps that carried the malware is unclear (there were at least twelve), but according to the researchers responsible for the discovery the apps were downloaded at least 60 million times in total.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Targeting the Middle East

Google has now removed the compromised apps from the Play Store, but they remain active and are still gathering data. The apps include a number of Muslim prayer apps (with more than 10 million downloads), highway-speed-trap detection apps, QR-code reading apps and other “popular consumer apps”.

Allegedly, Measurement Systems told developers they wanted data from users in the Middle East, Central and Eastern Europe and Asia.

Some of the offending apps have already been permitted to return to Google Play listings after removing the controversial code.

According to Serge Egelman and Joel Reardon, the researchers behind the discovery, the findings represent “the most privacy-invasive SDK they have seen in the six years they have been examining mobile apps”.

The SDK was gathering all kinds of data, from the precise location of the endpoints, to email addresses, phone numbers, and data on nearby personal devices. The device clipboard was also monitored, meaning whoever coped and pasted their passwords on the mobile device was at risk. 

According to the researchers, the type of data harvested is highly unusual, as consumer data brokers typically steer clear from data that is protected by privacy laws.

Via Wall Street Journal

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.