Don’t make creepy apps, y’all
Malicious software, AKA malware, is a huge problem for anyone who ends up saddled with it. It’s not just the bad guys who are hiding software that can harm us, though. Some seemingly legitimate companies are doing things like collecting personal information without the user’s knowledge or consent. It’s far from the first case of malware slipping into the Play Store, but it looks like Google, at least, is doing something about this privacy violation after learning about a number of problematic Android apps in the Play Store.
The search giant has taken measures to boot apps with hidden data-harvesting software out of the store, according to a recent Wall Street Journal report. Measurement Systems S. de R.L, a Panamanian company that works with US security agencies, wrote the code. Measurement Systems also has links to a Virginia defense contractor that specializes in cyberdefense. According to the WSJ report, the behavior was found by researchers auditing Android apps while looking for vulnerabilities. The data-harvesting code reportedly ran on millions of Android devices and has been detected in well-known consumer apps, Muslim prayer apps, an app for detecting highway speed traps, and a QR code reader. The researchers shared their findings with federal privacy officials, the WSJ, and Google.
The Panamanian firm reportedly paid developers to include its software development kit (SDK) code in their applications, and the kit handled data collection. The WSJ reports that it was able to look at data from a third-party company that showed the geographic distribution of users whose phones were running the Measurement Systems SDK, and it learned from the researchers that the buried code could obtain information down to location in addition to extracting info like email and phone numbers. The SDK could also view hashed data from WhatsApp image folders and even pull data about nearby computers and mobile devices, potentially mapping out who people meet with on a regular basis.
According to the Journal, Measurement Systems also used a subsidiary called Packet Forensics LLC to do business with the US government. While national security agencies and the Defense Department have admitted they buy commercial provider data like this to help with threat analysis, the finer details of what they get and how they use it remain secret. Governments have been collecting location-analytics information logged by mobile software for some time, sometimes asking firms to turn over bulk loads of user data to law enforcement agencies. The thing is, it can pay off for developers. According to documents seen by the paper, Measurement Systems claimed devs could rake in anywhere from $100 to $10,000 per month as long as they delivered enough users with apps accessing location data.
Serge Egelman, who with his colleague Joel Reardon discovered the hidden software, said there’s an old-fashioned lesson for developers who popped Measurement Systems code in their apps looking to make some money. It’s about “the importance of not accepting candy from strangers.” After all, it might be poisoned with code that wants to tell the government everything it can find out about you and your users. Still, there is some hope for those who have lost income streams from Google‘s ban. The company may allow some apps to return — as long as they delete the Measurement Systems code. The first few are in fact already back.
Read Next
About The Author
