The search giant has taken measures to boot apps with hidden data-harvesting software out of the store, according to a recent Wall Street Journal report. Measurement Systems S. de R.L, a Panamanian company that works with US security agencies, wrote the code. Measurement Systems also has links to a Virginia defense contractor that specializes in cyberdefense. According to the WSJ report, the behavior was found by researchers auditing Android apps while looking for vulnerabilities. The data-harvesting code reportedly ran on millions of Android devices and has been detected in well-known consumer apps, Muslim prayer apps, an app for detecting highway speed traps, and a QR code reader. The researchers shared their findings with federal privacy officials, the WSJ, and Google.
Malicious software, sometimes known as malware, is a major headache for anyone who is infected with it. However, it isn’t just the evil guys that hide malware that can hurt us. Some companies that appear to be reputable are gathering personal information without the user’s knowledge or consent. It’s far from the first time malware has found its way into the Play Store, but it appears like Google, at the very least, is taking steps to address the issue after learning about a number of dangerous Android apps in the Play Store.
The Panamanian firm reportedly paid developers to include its software development kit (SDK) code in their applications, and the kit handled data collection. The WSJ reports that it was able to look at data from a third-party company that showed the geographic distribution of users whose phones were running the Measurement Systems SDK, and it learned from the researchers that the buried code could obtain information down to location in addition to extracting info like email and phone numbers. The SDK could also view hashed data from WhatsApp image folders and even pull data about nearby computers and mobile devices, potentially mapping out who people meet with on a regular basis.
Serge Egelman, who with his colleague Joel Reardon discovered the hidden software, said there’s an old-fashioned lesson for developers who popped Measurement Systems code in their apps looking to make some money. It’s about “the importance of not accepting candy from strangers.” After all, it might be poisoned with code that wants to tell the government everything it can find out about you and your users. Still, there is some hope for those who have lost income streams from Google’s ban. The company may allow some apps to return — as long as they delete the Measurement Systems code. The first few are in fact already back.
According to the Journal, Measurement Systems also used a subsidiary called Packet Forensics LLC to do business with the US government. While national security agencies and the Defense Department have admitted they buy commercial provider data like this to help with threat analysis, the finer details of what they get and how they use it remain secret. Governments have been collecting location-analytics information logged by mobile software for some time, sometimes asking firms to turn over bulk loads of user data to law enforcement agencies. The thing is, it can pay off for developers. According to documents seen by the paper, Measurement Systems claimed devs could rake in anywhere from $100 to $10,000 per month as long as they delivered enough users with apps accessing location data.