Several apps were found to possess hidden malicious intent, resulting in Google removing over a dozen apps from its Play Store. As per sources, the code had been produced by Measurement Systems, a Virginia-based company known for working with US national security agencies.
Official sources have revealed that Measurement Systems had recruited developers from different regions to incorporate their code into applications through Software Development Kits. This code allowed the company to stealthily obtain user data without the awareness of either app developers or users.
Google has banned applications that collect user data.
Google has recently restricted access to several apps including Muslim prayer apps, which had an excess of ten million downloads, and other apps such as QR code readers, highway speed trap detectors, and various beloved consumer apps. As a result, users of the affected apps have expressed significant dismay.
On March 25, 2022, Google removed specific apps from its Play Store for gathering user data in violation of Google’s regulations, according to Scott Westover, a Google representative. Westover added that if the associated companies eliminate the offending software code, Google might contemplate restoring their apps. A few apps have already been reinstated after fulfilling the necessary business standards.
What type of user data has Measurement Systems gathered thus far?
Measurement Systems has amassed a vast quantity of user data, comprising of exact geographical location, personal particulars such as email addresses and phone numbers, and details about nearby devices.
Using the software development kit, Measurement Systems can seize data from a phone’s clipboard when users copy and paste, potentially allowing malicious software to acquire crucial credentials. Additionally, the SDK can penetrate the phone’s file system, accessing files from the WhatsApp downloads folder.
In March 2022, Serge Egelman from the International Computer Science Institute and the University of California, Berkeley, alongside Joel Reardon from the University of Calgary and the Federal Trade Commission, discovered an unrecognised vulnerability. After notifying Google of this flaw, the tech giant conducted a detailed inquiry and took the necessary steps to rectify the problem.
In a recent blog article, Reardon highlighted the likely consequences of this occurrence. He stated the prospect of a database that joins personal identifiers, such as email addresses and phone numbers, to an intricate record of GPS location history as profoundly alarming. Moreover, he cautioned that external parties may utilise this sensitive information to target journalists, activists, or political opponents.
As per Egelman, this scenario emphasises the significance of the saying “never accept candy from strangers,” as developers who sought profit through the SDK jeopardised the data of countless Android users.
Egelman and Reardon concluded that removing the apps from the Play Store would be ineffective in stopping Measurement Systems from collecting data from devices on which the apps are already installed. Additionally, they learned that the SDK instantaneously ceased gathering data after publicising their findings.
The company offered developers monetary compensation, ranging from $100 to $10,000 per month, depending on the quantity of active users they had. Per the accompanying documents, Measurement Systems had a special interest in users who allowed the program to access their location, although it has been proven that this permission was not required for the company to obtain the data.
Attention, developers worldwide.
For a developer, it is crucial to adhere to all of Google’s guidelines and protocols when publishing apps on the Play Store. Before integrating any SDKs or software code into your projects, it is vital to thoroughly read and comprehend the code and its consequences. Neglecting to do so may result in risk-prone SDKs that can compromise the safety of your application’s users, undermine trust, and cause significant harm to your project’s reputation.