Ryan Haynes / Android Authority
- Researchers have discovered an SDK that sends large amounts of data to U.S. defense contractors.
- Google has removed dozens of objectionable apps.
- Affected apps should be deleted, but may be re-listed if the SDK is removed.
Google has removed dozens of apps to collect data and send it to a firm linked to the US intelligence agency.
Malware is nothing new in the Google Play Store, but it is usually the domain of hackers, ransomware gangs, and other bad actors who seek financial gain. According to a new report by The Wall Street JournalThe latest round of malware includes a software development kit (SDK) that sends information to a defense contractor with links to the US intelligence community.
At the heart of the operation is the Panamanian company Measurement Systems. Given that the measurement systems are a little-known entity that is an even lesser known SDK that does not add any useful features, it pays developers 100 to $ 10,000 or more per month to include them in their software. SDK was used in many Muslim prayer apps, a weather app, a speed-trap detection app and much more. That being said, it is believed that compromised apps have been downloaded more than 60 million times.
Read more: We asked, you told us: Most of you have not experienced malware on your Android phone
Measurement systems have told developers that it is collecting data for Internet service providers, energy companies and financial service providers. Interestingly, and in conjunction with a link to a U.S. intelligence agency, the agency told developers that it was particularly interested in data from the Middle East, Asia, as well as Central and Eastern Europe – regions advertising agencies generally do not prioritize because they are not as rich as the United States or Western Europe. In Iran, for example, one of the weather apps has a large user base, a major target of US intelligence efforts.
Once the SDK is activated, it collects large amounts of data, including specific locations, phone numbers, emails, and nearby devices. The SDK had full access to the system clipboard, including any passwords stored there. The SDK can also scan parts of the file system, where WhatsApp downloads and saves files. Researchers do not believe that the SDK can open files, but it can match their interest files using a hashing algorithm. This further supports the belief that US spies are behind the measurement systems because WhatsApp uses end-to-end encryption and intelligence agencies are always looking for ways to gain any insights on communication on the platform.
See also: WhatsApp secure? How does its end-to-end encryption work?
The malware was first discovered by Serge Egelman and Joel Reardon, co-founders of the mobile app security company AppCensus. Egelman also worked as a researcher at the International Computer Science Institute and the University of California, Berkeley, and the University of Calgary. The men described the malware as “the most privacy-attacking SDK they’ve tested on a mobile app in six years.”
Once Egelman and Reardon reported the problem, they quickly removed the objectionable apps from the Google Play Store. Interestingly, the SDK of the measurement system appears to have stopped collecting data, although Google has not done anything responsible for that behavior. The measurement system seems to have stopped its final function. Google also said that apps could be re-listed if developers removed the SDK.
Finally, the whole catastrophe should serve as a warning to developers who may be tempted to accept money in exchange for the inclusion of a random, little-known SDK: if this seems too good to be true, it probably is.
“This story underscores the importance of not taking candy from strangers,” said Mr Egelman.
Here is a list of known apps that have SDK6 Users should delete these apps immediately and wait for them to be re-listed in the Play Store.
- Speed camera radar
- Al-Moazin Light (Prayer Time)
- WiFi Mouse (Remote Control PC)
- QR and barcode scanner
- Qibla Compass – Ramadan 2022
- Easy weather and clock widget
- Text with Handsent Next SMS — MMS
- Smart Kit 360
- Al Quarun Mp3 – 50 Reciter and Translation Audio
- Audiosdroid Audio Studio DAW – App on Google Play