We take a look at a collection of apps which were all harvesting user data via an SDK promising “monetisation”.
Dozens of apps were removed from the Google Play Store after they were found to be harvesting the data of device owners. The code in question—a software development kit (SDK)—was used inside apps which were downloaded over 10 million times.
A wide range of Android apps were found to have this particular SDK lurking. There’s no obvious connection between the apps besides the SDK, as they’re all from different sources and developers. A mobile powered speed camera radar. QR barcode scanners. Weather/clock widgets. Even a remote control PC mouse app. They all had this SDK running under the hood, doing things it shouldn’t have been. The only key point among them all is that they made use of something designed to help monetise their app.
It’s possible the app developers believed there was no issue with including the SDK in their apps. Indeed, there seems to be some confusion as to what, specifically, some developers thought the SDK was doing.
According to WSJ, one dev claimed they were told it was “collecting data on behalf of internet service providers”. These supposed ISPs were complemented by financial service/energy companies. Others claim to have signed non-disclosure agreements.
Google did not find these antics impressive, and swiftly removed many of the apps. The SDK is able to collect clipboard data, exact location, phone numbers, emails, and nearby devices. It can also scan other locations such as WhatsApp downloads.
Mapping out a person
You have to be very careful with visual clues to a person’s physical location, but also digital ones too. Stripping out GPS data from a photograph, or disabling geolocation on a social media portal. This can also work its way down to other areas, such as Bluetooth beacons in towns and department stores. Even Apple AirTags are now generating significant issues for people.
Even without physical stalker threats, you still need to know what’s going on inside the phone in your pocket. As the researchers note, whoever is collecting this information could link an email and mobile to GPS location data. This is very bad news for journalists working on sensitive stories. It’s also very bad in places where forms of political activism are not appreciated. In fact, it’s bad for everybody. Consider that your “not a big deal” is someone else’s “well that’s a disaster” on their personal threat model scale.
Back into the fold
Google is allowing removed apps back on the store for a second chance, assuming the SDK element has been removed. The BBC reports that the majority of apps have already returned. There is the question of whether or not some developers were up to no good. Perhaps some were totally unaware, maybe some saw harmless looking promotions for more accurate data collection and a bump in cash. Sadly, they may not have considered what, exactly, the SDK would be doing in return.
Is my device safe from this SDK?
Google hasn’t revealed how many more apps on the Play Store included the SDK. It’s very likely that all traces are now gone.
The age old advice of “the best way to keep your Android safe is to only download apps on the Play Store” may sound contradictory. However, it’s still the case that this is entirely accurate.
You’re much better off using the store than a third party download location. Simply hoping that it isn’t a scam from top to bottom won’t save you from a rogue install. Depending on device model, you may even have to tick the “allow installs from unknown sources” option to even use third party stores in the first place.
This could very well make things even more insecure in terms of your mobile device.
Keep applying those OS updates as they come along. Pay attention to reviews of apps before you download them. Take a look at some of the requested permissions at install time. If your device is capable of installing a trusted security tool, consider installing one of those too. All of this will help keep your device safe. While there’s never any guarantees, we’d be surprised if the Play Store gives the wheel back to this problematic and unwanted Android app addition. Looks like it’s back to business as usual for the Play Store – for now, at least.