Google has removed dozens of malicious apps from its mobile app marketplace, all of which allegedly contained code tied to a contractor employed by US national security agencies.
According to a Wall Street Journal report, the company that wrote the code is called Measurement Systems. The firm is said to have paid developers around the world to embed its software development kit (SDK) in their apps.
The precise number of Android apps that carried the malware is unclear (there were at least twelve), but according to the researchers responsible for the discovery the apps were downloaded at least 60 million times in total.
Targeting the Middle East
Google has now removed the compromised apps from the Play Store, but they remain active and are still gathering data. The apps include a number of Muslim prayer apps (with more than 10 million downloads), highway-speed-trap detection apps, QR-code reading apps and other “popular consumer apps”.
Allegedly, Measurement Systems told developers they wanted data from users in the Middle East, Central and Eastern Europe and Asia.
Some of the offending apps have already been permitted to return to Google Play listings after removing the controversial code.
According to Serge Egelman and Joel Reardon, the researchers behind the discovery, the findings represent “the most privacy-invasive SDK they have seen in the six years they have been examining mobile apps”.
The SDK was gathering all kinds of data, from the precise location of the endpoints, to email addresses, phone numbers, and data on nearby personal devices. The device clipboard was also monitored, meaning whoever coped and pasted their passwords on the mobile device was at risk.
According to the researchers, the type of data harvested is highly unusual, as consumer data brokers typically steer clear from data that is protected by privacy laws.
