A new recent news break from Wall Street Journal revealed that Google just banned dozens of spyware apps for having hidden data-harvesting software. All these apps were consumer-facing apps that had over 60 million downloads in total.
About the spyware
The discovery was made on a Software Development Kit (SDK) developed by a Panama-based company Measurement System S. de R.L.. which, through a web of corporate records, got later linked to a Virginia-based Defence Contractor known for cyberintelligence.
This company does cyber security work for US intelligence agencies.
The company developed an SDK that did not add any useful features but was a front to spy on the phones and collect data. The company then paid developers $100 to over $10,000 every month to include it in their software.
Interestingly, the SDK was being used in many Muslim prayer apps and some other innocuous sounding apps like a weather app, a Barcode scanner app etc. The report also revealed that the company told the developers that it was specifically interested in data from the Middle East, Asia, Eastern and Central Europe.
One of the weather apps had a huge user base in Iran. The excuse given by Measurement System was that it was collecting data for the ISPs (Internet Service Providers), Financial companies and Energy companies.
How the spyware worked
Once you installed the spyware, the SDK would become active. It would then start collecting your data like location, contact details and nearby devices data. SDK was also able to access the system clipboard and thus get all the data including the passwords one would copy-paste.
The malware SDK also had the ability to scan filesystems and use the hashing algorithm to compare its contents to files that were of their interest. This would help them bypass some of the limitations brought by end-to-end encryption of Whatsapp.
Who discovered the spyware
Co-founders of a mobile security firm called AppCensus, Serge Egelman and Joel Reardon, discovered the SDK. Both of them are researchers in respected institutions like the University of California, Berkeley and the University of Calgary.
They described the malware as “the most privacy-invasive SDK they have seen in the six years they have been examining mobile apps.” The duo quickly informed Google of their discovery. Google then promptly removed all the apps that were found to have the SDK.
Once the spying method was public, Measurement Systems seems to have disabled data collection remotely. This is strange as Google did not do anything from their end to disable it.
Google says that the banned apps can relist on the Playstore. But the apps will have to remove the spyware SDK.
The incident brings an interesting learning for developers.
There is no such thing as free lunch. As a developer, if a company pays you money to include their code or framework – there is something amiss and avoid such temptations.
Mr Egelman said very succinctly, “This saga continues to underscore the importance of not accepting candy from strangers.”
List of banned apps
Here is the list of malware apps we know so far that used the SDK to send data:
- Speed Camera Radar
- Simple weather & clock widget
- WiFi Mouse (remote control PC)
- QR & Barcode Scanner
- Smart Kit 360
- Handcent Next SMS—Text w/ MMS
- Audiosdroid Audio Studio DAW
- Al-Moazin Lite (Prayer Times)
- Qibla Compass — Ramadan 2022
- Al Quarun Mp3 — 50 Reciters & Translation Audio
If you have these apps, please delete them and install their alternatives.
Follow our blog to keep your phone safe in this age of spyware.