A dozen Android apps are harvesting data and Google has banned them

• Google banned those apps on March 25 and only allowed them to return to its Play store once they’ve deleted the code
• The data collected included precise location information, email and phone numbers, nearby devices and passwords when users used a “cut and paste” feature
• Several are already back online and available for purchase

Dozens of Android apps have recently been removed from the Google Play Store as researchers discovered that they have been harvesting millions of users’ data. In a rather shocking revelation, the apps — a Muslim prayer applications with over 10 million downloads, a barcode scanner, and a clock, among others — contained secret data-harvesting code tied to the US national security contractors.

Revealed by the Wall Street Journal, the two researchers, Serge Egelman from the International Computer Science Institute at UC Berkeley and Joel Reardon of the University of Calgary, first discovered the SDK in October 2021 and immediately reported it to Google. They however, only published their findings in a report on Wednesday. 

The findings by both researchers shows that the Panamanian company that wrote the code, Measurement Systems S. de R.L., works with US national security agencies. The line of code was found to be collecting rich data including precise location information, email and phone numbers, nearby devices and passwords when users used a “cut and paste” feature. 

“A database mapping someone’s actual email and phone number to their precise GPS location history is particularly frightening, as it could easily be used to run a service to look up a person’s location history just by knowing their phone number or email, which could be used to target journalists, dissidents, or political rivals,” Reardon wrote in his blog post.

To top it off, it could also scan for WhatsApp downloads, according to the researchers. The company did not encrypt or otherwise obfuscate personal identifiers, which may violate data privacy laws. “Measurement Systems paid developers around the world to incorporate its code—known as a software development kit, or SDK—into their apps, developers said,” according to WSJ’s report.

WSJ’s report also indicated that those apps containing Measurement Systems software were removed from the Google Play Store as of March 25 for collecting users’ data outside the rules that Google has established. The apps could be relisted given the software is removed. In fact, some of them are already back in the App Store.

While Google’s action would not really hinder Measurement System’s ability to collect data from the millions of phones around the world where its software is already installed, the researchers however found that the SDK stopped collecting data on its users and unplugged itself shortly after findings on them were being circulated.