Google removes apps for reportedly sending data to US intelligence

Google has removed dozens of apps for collecting data and sending it to a firm linked to US intelligence.

Malware on the Google Play Store is nothing new, but it’s usually the domain of hackers, ransomware gangs, and other bad actors looking for financial gain. According to a new report by The Wall Street Journal, the latest round of malware contains a software development kit (SDK) that is reportedly sending data to a defense contractor with links to the US intelligence community.

At the heart of the operation is the Panamanian company Measurement Systems. Given that Measurement Systems is a little-known company with an even lesser-known SDK that doesn’t add any useful features, it paid developers anywhere from $100 to $10,000 or more a month to include it in their software. The SDK was used in several Muslim prayer apps, a weather app, a speed-trap detection app, and many more. All told, it’s believed compromised apps were downloaded more than 60 million times.

Read more: We asked, you told us: Most of you haven’t experienced malware on Android phones

Measurement Systems told developers it was collecting data for internet service providers, energy companies, and financial service providers. Interestingly, and coinciding with the link to US intelligence, the company told developers it was specifically interested in data from the Middle East, Asia, as well as Central and Eastern Europe — regions advertising companies do not usually prioritize since they are not as affluent as the US or Western Europe. For example, one of the weather apps has a large user base in Iran, a prime target of US intelligence efforts.

Once the SDK was active, it collected large amounts of data, including precise location, phone number, email, and nearby devices. The SDK also had full access to the system clipboard, including any passwords stored there. The SDK could also scan portions of the file system, including where WhatsApp downloads and stores files. Researchers don’t believe the SDK can open the files, but it can use a hashing algorithm to match them against files of interest. This lends further support to the belief that US intelligence is behind Measurement Systems since WhatsApp uses end-to-end encryption and intelligence agencies are always looking for ways to gain any insight they can about communication on the platform.

See also: Is WhatsApp safe? How does its end-to-end encryption work?

The malware was first discovered by Serge Egelman and Joel Reardon, co-founders of mobile app security firm AppCensus. Egelman also serves as a researcher at the International Computer Science Institute and the University of California, Berkeley, and Reardon at the University of Calgary. The men have described the malware as “the most privacy-invasive SDK they have seen in the six years they have been examining mobile apps.”

Once Egelman and Reardon informed it of the issue, Google quickly took action, removing offending apps from the Play Store. Interestingly, it appears Measurement Systems’ SDK has stopped collecting data, although Google has done nothing that would account for that behavior. It appears Measurement Systems has turned off the functionality on its end. Google has also said apps can be relisted once developers remove the SDK.

Ultimately, the entire debacle should serve as a warning to developers who may be tempted to accept money in exchange for including a random, little-known SDK: If it sounds too good to be true, it probably is.

“This saga continues to underscore the importance of not accepting candy from strangers,” Mr. Egelman said.

Here is a list of known apps containing the SDK. Users should delete these apps immediately and wait for them to be relisted in the Play Store.

• Speed Camera Radar
• Al-Moazin Lite (Prayer Times)
• WiFi Mouse (remote control PC)
• QR & Barcode Scanner
• Qibla Compass — Ramadan 2022
• Simple weather & clock widget
• Handcent Next SMS—Text w/ MMS
• Smart Kit 360
• Al Quarun Mp3 — 50 Reciters & Translation Audio
• Audiosdroid Audio Studio DAW — Apps on Google Play