Following the discovery that certain applications were using concealed malicious software to acquire user data, Google removed more than a dozen apps from the Play Store. According to reports, the code was created by Measurement Systems, a company associated with a Virginia defence contractor working for the United States’ national security organisations.
According to official statements, Measurement Systems employed developers from various parts of the world in order to integrate their code into their applications using SDKs (Software Development Kits). This code enabled the company to collect user data without the knowledge of the developers or the consumers.
Google has prohibited data-collection applications.
Google recently blocked access to a number of Muslim prayer applications, which had been downloaded over ten million times, as well as other applications such as a highway speed trap detector, a QR code reader, and a selection of popular consumer applications. This action has caused considerable consternation amongst users of the affected applications.
According to Scott Westover, a representative from Google, the company removed certain applications from its Play Store on March 25, 2022, due to their collection of user data in contravention of Google’s established policies. Westover further stated that if the relevant organisations delete the associated software code, Google may consider reinstating these applications. A handful of applications have already been reinstated, having met the requisite business criteria.
What kind of data have Measurement Systems collected so far?
Measurement Systems has collected an extensive amount of user data, including precise geographic location, personal details such as email addresses and telephone numbers, as well as information on nearby devices.
By utilising the software development kit, measurement systems can capture data from the clipboard of a phone when a user performs a cut-and-paste action. This provides the potential for malicious software to gather important credentials. Furthermore, the SDK can access the file system of the phone, including any files located in the WhatsApp downloads folder.
In March 2022, Serge Egelman of the International Computer Science Institute and the University of California, Berkeley, and Joel Reardon from the University of Calgary and the Federal Trade Commission, uncovered a vulnerability that had not previously been identified. Upon informing Google of their findings, the tech giant conducted a thorough investigation and took the appropriate measures to address the issue.
In a recent blog post, Reardon drew attention to the potential consequences of this incident. He characterised the situation of a database linking individual identifiers, such as email addresses and telephone numbers, to a detailed record of their GPS location history as deeply concerning. Furthermore, he warned that third parties may be able to exploit this sensitive information to cause harm to journalists, activists, or political adversaries.
According to Egelman, this situation serves to underscore the importance of the adage “don’t take sweets from strangers”, as developers who utilised the SDK for financial gain put the data of millions of Android users at risk.
According to their findings, Google’s removal of the applications from the Play Store would not be effective in preventing Measurement Systems from collecting data from phones that already have the applications installed. Furthermore, Egelman and Reardon reported that the SDK stopped gathering data promptly after they began to circulate their results.
Measurement Systems offered developers compensation ranging from $100 to $10,000 per month, depending on the number of active users. According to the accompanying documentation, the company was particularly interested in users who had consented to the program accessing their location, but it has been demonstrated that this authorization was not necessary for the organisation to acquire the data.
Take note, developers all across the world.
As a developer, it is of utmost importance to comply with all of Google’s rules and regulations when hosting applications on the Play Store. Prior to using any SDKs or software code in your projects, it is imperative that you take the time to fully read and understand the code and its implications. Failure to do so can result in SDKs that are potentially hazardous to the users of the application, and can lead to breaches of trust that can severely damage the credibility of your projects.