Google recently booted over a dozen apps from its Play Store—among them Muslim prayer apps with 10 million-plus downloads, a barcode scanner, and a clock—after researchers discovered secret data-harvesting code hidden within them. Creepier still, the clandestine code was engineered by a company linked to a Virginia defense contractor, which paid developers to incorporate its code into their apps to pilfer users’ data.
While conducting research, researchers came upon a piece of code that had been implanted in multiple apps that was being used to siphon off personal identifiers and other data from devices. The code, a software development kit, or SDK, could “without a doubt be described as malware,” one researcher said.
For the most part, the apps in question appear to have served basic, repetitive functions—the sort that a person might download and then promptly forget about. However, once deployed onto the user’s phone, the SDK-laced programs harvested important data points about the device and its users like phone numbers and email addresses, researchers revealed.
The Wall Street Journal originally reported that the weird, invasive code, was discovered by a pair of researchers, Serge Egelman, and Joel Reardon, both of whom co-founded an organization called AppCensus, which audits mobile apps for user privacy and security. in the blog post on their findings, Reardon writes that AppCensus initially reached out to Google about their findings in October of 2021. However, the apps ultimately weren’t exposed from the Play store until March 25 after Google had investigated, the Journal reports. Google issued a statement in response: “All apps on Google Play must comply with our policies, regardless of the developer. When we determine an app violates these policies, we take appropriate action.”
One of the apps was a QR and barcode scanner that, if downloaded, was instructed by the SDK to collect a user’s phone number, email address, IMEI information, GPS data, and router SSID. Another was a suite of Muslim prayer apps including Al Moazin and Qibla Compass—downloaded approximately 10 million times—that similarly pilfered phone numbers, router information, and IMEI. A weather and clock widget with over one million downloads sucked up a similar amount of data at the code’s command. In all, the apps, some of which could also determine users’ locations, had racked up more than 60 million downloads.
“A database mapping someone’s current email and phone number to their precise GPS location history is particularly frightening, as it could easily be used to run a service to look up a person’s location history just by knowing their phone number or email, which could be used to target journalists, dissidents, or political rivals,” writes Reardon in his blog post.
So who is behind all this? According to researchers, the company registered in Panama called Measurement Systems. The researchers write in their report that Measurement Systems was actually registered by a company called Vostrom Holdings—a firm based in Virginia with ties to the national defense industry. Vostrom contracts with the federal government via a subsidiary firm called Packet Forensics, which appears to specialize in cyberintelligence and network defense for federal agencies, the Journal reports.
App developers who spoke to the newspaper claimed that Management Systems had paid them to deploy its SDK into their apps, which allowed the company to “surreptitiously collect data” from device users. Other developers noted that the company asked them to sign non-disclosure agreements. Documents viewed by the Journal apparently revealed that the company mostly wanted data on users who were based in “Middle East, Central and Eastern Europe and Asia.”
The defense industry has a long, problematic relationship with the data brokerage industry—something that data researchers on Twitter were quick to point out after the Journal’s story dropped:
A full list of the apps that were found to contain the creepy SDK code can be found in Reardon’s write-up at the AppCensus website.