Dozens of apps—including Muslim prayer apps, a speed-trap alert app and a QR-code reader—were removed from the Google Play Store around March 25 after researchers found they included software for secretly collecting user data that was developed by a company with ties to U.S. security agencies, the Wall Street Journal reported Wednesday.
Popular apps that contained the secret data-harvesting software include Speed Camera Radar, Al-Moazin Lite (Prayer Times) and WiFi Mouse(remote control PC), each with over 10 million downloads, and QR & Barcode Scanner and Qibla Compass - Ramadan 2022, each with over 5 million downloads, according to a report published Friday by University of Calgary researcher Joel Reardon and Serge Egelman, a researcher at the International Computer Science Institute of the University of California, Berkeley.
The Panama-based company Measurement Systems S. de R.L. paid app developers to include its code in their software, allowing Measurement Systems to gather data from millions of users around the world, the Wall Street Journal reported.
Apps banned for prohibited harvesting of user data can apply for reinstatement in the Google Play Store if the offending code is removed, a Google spokesperson told the Wall Street Journal.
Measurement Systems’ software was included in apps downloaded to at least 60 million devices, Reardon and Egelman told the Wall Street Journal, though the software reportedly stopped harvesting user data after the researchers announced their discovery.
After Reardon and Egelman informed Google of the spyware, Google launched an investigation resulting in the March 25 bans, the Wall Street Journal reported.
Google and Measurement Systems did not immediately respond to requests for comment from Forbes.
The Wall Street Journal found that Measurement Systems was connected via company records and an internet domain registration to a Virginia-based contractor involved in cyberintelligence operations for U.S. security agencies. The company denied to the Wall Street Journal that it was involved in secret data-harvesting or that it had any links to U.S. defense contractors. The developer of the Al-Moazin Lite app told the Wall Street Journal that the company had been led to believe Measurement Systems was gathering data on behalf of internet service, financial and energy companies, which Egelman said highlighted “the importance of not accepting candy from strangers.” Some apps using Measurement Systems’ software collected phone numbers, email addresses and GPS data, which they wrote could be used to track someone’s movements knowing only their phone number or email address, potentially a powerful tool for governments wishing to surveil and suppress dissidents. Governments sometimes hire mercenary hacker groups to harvest data from encrypted communications apps or to undermine infrastructure or critical services. Russia is a particularly prominent sponsor of hacking, posting a “serious and persistent threat to critical infrastructure both in the United States and around the world,” according to Department of Justice officials. March 24, the Department of Justice announced charges against four Russian government employees who allegedly targeted thousands of computers connected to the energy sector in about 135 countries, including the U.S., between 2012 and 2018.
Some apps that previously contained Measurement Systems’ malware, including Speed Camera Radar, WiFi Mouse(remote control PC), QR & Barcode Scanner, Qibla Compass - Ramadan 2022, Simple weather & clock widget and Handcent Next SMS-Text w/ MMS, are already back on the Google Play store.
“Facebook Warns 50,000 Users Were Targeted By Spy-For-Hire Companies” (Forbes)