Google pulled dozens of apps from its Google Play store after determining they include software that harvests data without the device-owners’ permission.
The code, written by a Panamanian company, Measurement Systems S. de R.L., ran on millions of Android devices and has been found inside several Muslim prayer apps downloaded more than 10 million times, according to a report published by AppCensus.
Measurement Systems is linked through corporate records and web registrations to a Virginia defense contractor deep in cyber intelligence and network defense, all working for U.S. national-security agencies, according to The Wall Street Journal, which initially published the report.
The code was also found in a highway-speed-trap detection app, a QR-code reading app and a number of other popular consumer apps, the WSJ reported, citing two researchers who discovered it while auditing and searching for vulnerabilities in Android apps.
Serge Egelman, a researcher at the International Computer Science Institute and the University of California, Berkeley, and Joel Reardon of the University of Calgary, cofounded AppCensus. They told the WSJ that developers said Measurement Systems paid them to incorporate its software development kit (SDK) into their apps.
Data collected through the SDK includes clipboard snippets, GPS locations, email addresses, and phone numbers. In a post, Reardon explains that different apps running the same version of the SDK will collect different information.
For instance, the Simple weather and clock widget app running the SDK includes the contents of the clipboard. So, when a user copies and pastes something, it goes to a shared clipboard, which this SDK scoured and uploaded to its servers. The arbitrary data can include passwords if a user uses a password manager.
The phone number of the device can also be sent with the “JSON key ‘PhoneNumber,’ and the email address associated with the phone sent base64-encoded under the JSON key ‘Name,’” he wrote.
In apps that have access to the location permission, this SDK also collects precise GPS location in addition to coarser router-based location data.
AppCensus reported the issue to Google on October 20, 2021 along with a list of apps listed in the blog post.