Business

Android apps with 45 million installs used data harvesting SDK

Published

on

Mobile malware analysts warn about a set of applications available on the Google Play Store, which collected sensitive user data from over 45 million installs of the apps.

The apps collected this data through a third-party SDK that includes the ability to capture clipboard content, GPS data, email addresses, phone numbers, and even the user’s modem router MAC address and network SSID.

This sensitive data could lead to significant privacy risks for the users if misused or leaked due to poor server/database security. 

Furthermore, clipboard contents could potentially include very sensitive information, including crypto wallet recovery seeds, passwords, or credit card numbers, which should not be stored in a third-party database.

According to AppCensus, who discovered the use of this SDK, the collected data is bundled and transmitted by the SDK to the domain “mobile.measurelib.com,” which appears to be owned by a Panama-based analytics firm named Measurement Systems.

Snapshot from the Measurement Systems site

The firm is promoting a data-collecting SDK named Coelib as a monetization opportunity for the apps, promoting it as an ad-free way for the publishers to generate revenue.

AppCensus researchers say that many of the strings in the SDK’s library are obfuscated using AES encryption and then base64 encoded.

“And what is the threat model that requires encrypting your strings anyway?! At least, it’s a relief that they only do 10 rounds of key derivation, because this outrageous block of code executes every single time that a string is used by this library (delaying the app and wasting battery life),” explain’s AppCensus in their report.

Pseudocode of the SDK’s string constant runtime decryption
(AppCensus)

Apps using this SDK

The most popular and downloaded applications found to be using this SDK to send sensitive user data are the following:

It’s important to note that all of these apps were reported to Google on October 20, 2021, and were subsequently investigated and removed from the Play Store.

However, their publishers managed to reintroduce them on the Play Store after removing the data-harvesting SDK and submitting new, updated versions to Google for review.

If users installed the apps on a previous date, though, the SDK would still be running on their smartphones, so removal and re-installation would be advised in this case.

Unfortunately, as data collection libraries quietly run in the background collecting data, it’s difficult for users to protect themselves from them. Therefore, it is advised that you only install apps from trustworthy developers who have a long history of highly reviewed apps.

Another good practice is to keep the number of apps installed on your device at the minimum necessary and ensure that the permissions requested are not overly broad.

Bleeping Computer has contacted all publishers of the apps listed above and the SDK provider, and we will update this post with their comments as soon as we receive them.

The publisher of one of the listed apps, ‘Simple weather & Clock Widget’ provided the following statement to BleepingComputer:

“We really wanted to apologize to our users for this incident. It was not our fault. Like a few other developers, we have been misled.

Immediately after we were able to confirm that the SDK owned by Measurementsys was exploiting some Android vulnerabilities, operating in an unclear and privacy-questionable manner, we urgently removed the defective SDK, released an update, and ended our relationship with this partner.

We care about full transparency and security, we create apps and we also use them. This incident had a very bad effect on our app, we will make every effort to ensure that this situation never happens again.”

Source: https://www.bleepingcomputer.com/news/security/android-apps-with-45-million-installs-used-data-harvesting-sdk/

Click to comment
Exit mobile version