Google’s crackdown on data-stealing malware is unleashed on the Play Store

Don’t make creepy apps, you all

Malware, AKA malware, is a huge problem for anyone who ends up saddled with it. It’s not just the bad guys who hide software that can hurt us. Some seemingly legitimate companies do things like collect personal information without the user’s knowledge or consent. It’s a far cry from the first case of malware slipping into the Play Store, but it appears that Google, at least, is doing something about this privacy breach after identifying a number of problematic Android apps in the Play Store.

The search giant has taken measures to boot apps with hidden data-collecting software outside the Store, according to a recent Wall Street Journal report. The code was written by Measurement Systems S. de RL, a Panamanian company that works with US security agencies. Measurement Systems also has links to a defense contractor in Virginia who specializes in cyber defense. According to a WSJ report, the behavior is found by researchers who review Android apps while looking for vulnerabilities. The data collection code is said to run on millions of Android devices and has been detected in popular consumer apps, Muslim prayer apps, highway speed traps detection and QR code reader. The researchers shared their findings with federal privacy officials, the WSJ and Google.


The Panamanian company reportedly paid developers to include SDK code in their apps, and the group took up the data collection. The Wall Street Journal reported that it was able to look at data from an outside company that showed the geographic distribution of users whose phones were running the Measurement Systems SDK, and learned from researchers that buried code can get down to location information in addition to extracting information such as email and phone numbers. The SDK can also display hashed data from WhatsApp photo folders and even pull data about nearby computers and mobile devices, potentially identifying people they meet on a regular basis.

According to the magazine, Measurement Systems also used a subsidiary called Packet Forensics LLC to do business with the US government. While national security agencies and the Department of Defense have admitted to purchasing commercial provider data like this to help analyze threats, the exact details of what they obtain and how they are used remain confidential. Governments have been collecting location analytics information logged by mobile software for some time, and sometimes require companies to hand over large amounts of user data to law enforcement agencies. The thing is that it can pay off for developers. According to documents seen by the newspaper, Measurement Systems claimed developers could get anywhere from $100 to $10,000 a month as long as they introduced enough users with apps that access location data.

Serge Eagleman, who with colleague Joel Reardon discovered the hidden software, said there’s an old lesson for developers who have rolled out metrics code into their apps looking to make some money. It is about “the importance of not accepting sweets from strangers”. After all, he might be poisoned with code that wants to tell the government everything it can find out about you and your users. There is still some hope for those who have lost revenue streams from the Google ban. The company may allow some apps to come back – as long as it deletes the Measurement Systems icon. The first few actually have already returned.

Fitbit tracker may be about to get AFib detection

read the following

About the author

Leave a Reply

%d bloggers like this: