Google has removed several apps used by over 50 million users from the Play Store after learning that the applications in question were harvesting users' personal information. Researchers Joel Reardon (University of Calgary) and Serge Egelman (UC Berkeley) discovered the malicious code in dozens of apps harvesting users' precise location, phone numbers, and email accounts.
Reardon and Egelman reported (via Endgadget) their findings to federal regulators and Google, which led to the company removing the apps from the Play Store. It's been reported that Measurement Systems is the company responsible for the code and is linked to defense contractors that provide cyber-intelligence to US national security agencies.
- Best antivirus apps in 2022
- Best password managers in 2022
- Best phone deals in 2022
We want to believe that such a connection is harmless, but Measurement Systems has supposedly paid developers to add their wares to SDKs (development kits) to many different apps in exchange for detailed user information and payment.
Reardon states the following in the AppCensus research blog post:
"A database mapping someone's actual email and phone number to their precise GPS location history are particularly frightening, as it could easily be used to run a service to look up a person's location history just by knowing their phone number or email, which could be used to target journalists, dissidents, or political rivals."
The other fear researchers have is that even though the apps with the information harvesting code have been pulled from the Play Store, millions of users may still be using them. When the Wall Street Journal first broke the story, they reached out to Measurement Systems and received an emailed response stating: "the allegations you make about the company's activities are false. Further, we are not aware of any connections between our company and U.S. defense contractors, nor are we aware of… a company called Vostrom. We are also unclear about Packet Forensics or how it relates to our company."
Reardon and Egelman compiled a list of the harvesting apps users should make sure to remove immediately from their devices.
List of data-harvesting apps
- Speed Camera Radar
- Al-Moazin Lite (Prayer Times)
- WiFi Mouse(remote control PC)
- QR & Barcode Scanner
- Qibla Compass – Ramadan 2022
- Simple weather & clock widget
- Handcent Next SMS-Text w/ MMS
- Smart Kit 360
- Al Quran Mp3 – 50 Reciters & Translation Audio
- Full Quran MP3 – 50+ Languages & Translation Audio
- Audiosdroid Audio Studio DAW – Apps on Google Play
We will keep tabs on this developing story and update this list if it continues to grow.