Google has confirmed the removal from its app store of apps that contained hidden data collection software. The apps ran on tens of millions of Android devices around the world—that’s roughly 60 million users.
This case became known after the publication of an investigation by The Wall Street Journal. A Panamanian company associated with a contractor in the United States is listed as the developer of the secret data collection code. The authors of the report are the co-founders of AppCensus, a company that studies the security and privacy of mobile applications, notes BlueScreen.
According to them, the discovered code is the most invasive SDK they have seen in six years of studying mobile applications. After the report made its way to the Federal Trade Commission and Google, they investigated and removed the apps.
“FTC investigations are non-public, we cannot comment on whether we are investigating a particular issue,” said a spokeswoman for the Federal Trade Commission.
Google spokesman Scott Westover clarified that applications containing Measurement Systems software were removed from the Google Play Store on March 25 for collecting user data outside of established guidelines. And he added that applications can be unlocked after removing the code, some of the developers have already done so, notes NIX Solutions.
What features could the tracking software have:
- collect a large amount of data about each user, including exact location, email data, phone numbers, information about nearby computers and mobile devices;
- Find other devices on the same Wi-Fi network as the app using the code
- collect information that is stored on the phone’s clipboard, such as passwords, every time the cut and paste feature is used;
- scan some parts of the phone’s file system, including files stored in the WhatsApp downloads folder. It could not necessarily read the contents of the files, but could match them against known files.
“A database correlating someone’s actual email and phone number with their exact GPS location history is especially intimidating because it can be easily used to start a person’s location history lookup service just by knowing their phone number or email address, which could be used to target journalists, dissidents or political figures,” one expert wrote in a blog post explaining his findings.
Experts estimate that Measurement Systems’ surveillance software was present in applications downloaded on at least 60 million mobile devices, and probably many more. Google declined to specify how many apps in total contained this code.