Google recently pulled more than a dozen apps from the Play Store, including Muslim prayer apps with more than 10 million downloads, a barcode scanner and a clock app, after researchers discovered the secret data collection code inside them. This obscure, creepy code apparently was devised by a company affiliated with a Virginia defense contractor that pays developers to include its code in their app to steal users’ data.
During investigations, a piece of code was found embedded in multiple applications that was used to siphon personal identifiers and other data from devices. One researcher said that the code, a software development kit, or SDK “could be described as undoubted malware.”
The apps in question seem to serve basic, repetitive functions that a person might download and quickly forget. However, the researchers determined that once settled on the user’s phone, the SDK-linked programs collect important data points about the device and its users, such as phone numbers and email addresses.
The Wall Street Journal reports that this strange, invasive code was first discovered by a pair of researchers, Serge Egelman and Joel Reardon, who both co-founded an organization called AppCensus that oversees mobile apps for user privacy and security. In a blog post about its findings, Reardon says that AppCensus first contacted Google about its findings in October 2021. But the apps weren’t deleted from the Play Store until March 25 after Google’s review, the Journal reported. “All apps on Google Play, regardless of developer, must comply with our policies. When we determine that an app violates these policies, we will take appropriate action,” said a statement Google released in response.
One of the apps was a QR and barcode scanner, which, if downloaded, was instructed by the SDK to collect a user’s phone number, email address, IMEI information, GPS data, and router SSID. Another was a suite of Muslim prayer apps such as Al Moazin and Qibla Compass (downloaded nearly 10 million times), which similarly steal phone numbers, router information, and IMEI. A weather and clock widget with over a million downloads was taking in a similar amount of data as the code commanded. The apps, some of which can also locate users, were downloaded more than 60 million times in total.
In the blog post by Reardon, “A database that matches someone’s real email and phone number with precise GPS location history is particularly scary, knowing a person’s phone number or email address is easily to run a service to look up location history. Since it can be used, it can be used to target journalists, dissidents or political opponents.”
According to researchers, Measurement Systems, a company registered in Panama, is behind this malware. According to the reports, Measurement Systems actually Vostrom is reportedly registered with a Virginia-based company called Vostrom Holdings, a Virginia-based company with ties to the national defense industry.Vostrom has contracted with the federal government through a subsidiary called Packet Forensics, which appears to specialize in cyber intelligence and network defense for federal agencies. (980070) 2)
App developers who spoke to the Journal claimed that Management Systems paid them to embed its SDK into their apps, thereby allowing the company to “collect data in secret” from device users. Other developers noted that the company asked them to sign non-disclosure agreements.
Documents viewed by Journal apparently show that the company is mostly asking for data on users based in the Middle East, Central and Eastern Europe, and Asia.