This kind of thing has been done for a long time, good to see Google noticing in this case, but Google gathers lots of data too for advertising purposes.
Google pulls apps that may have harvested data from millions of Android devices
The apps took users' precise location, email, phone numbers and more, researchers said.
S. Dent, @stevetdent, April 7th, 2022 in Engadget
Google has pulled dozens of apps used by millions of users after finding that they covertly harvested data, The Wall Street Journal has reported. Researchers found weather apps, highway radar apps, QR scanners, prayer apps and others containing code that could harvest a user's precise location, email, phone numbers and more. It was made by Measurement Systems, a company that's reportedly linked to a Virginia defense contractor that does cyber-intelligence and more for US national-security agencies. It has denied the allegations.
The code was discovered by researchers Serge Egelman from UC Berkeley and the University of Calgary's Joel Reardon, who disclosed their findings to federal regulators and Google. It can "without a doubt be described as malware," Egelman told the WSJ.
Measurement Systems reportedly paid developers to add their software development kits (SDKs) to apps. The developers would not only be paid, but receive detailed information about their user base. The SDK was present on apps downloaded to at least 60 million mobile devices. One app developer said it was told that the code was collecting data on behalf of ISPs along with financial service and energy companies. Measurement Systems also said it wanted data mainly from the Middle East, Central and Eastern Europe and Asia.
"A database mapping someone’s actual email and phone number to their precise GPS location history is particularly frightening, as it could easily be used to run a service to look up a person’s location history just by knowing their phone number or email, which could be used to target journalists, dissidents, or political rivals," Reardon said in the AppCensus research blog.
Though Google has pulled those apps from the Play Store, the researchers noted that they still exist on millions of devices. At the same time, they found that the SDK stopped collecting user data after their findings were revealed. ... '
No comments:
Post a Comment