Google has booted dozens of Android apps from the Google Play store after finding the apps included a line of code that was discreetly harvesting user data.
According to the Wall Street Journal, some of the now-banned apps were Muslim prayer apps downloaded more than 10 million times. A popular highway speed trap detection app and a QR-code-reading app were also found to include the data-scraping code. Researchers reportedly linked the Panamanian company responsible for the code to a Virginia-based company that works with U.S. national security agencies.
The line of code, part of an SDK developed by Measurement Systems S. De R.L., was found to be collecting rich data including precise location information, email and phone numbers, nearby devices and passwords when users used a “cut and paste” feature. It could also scan for WhatsApp downloads, according to researchers. The company did not encrypt or otherwise obfuscate personal identifiers, which may violate data privacy laws.
Google banned the apps on March 25, spokesperson Scott Westover told the Wall Street Journal, and is allowing apps to return to the Google Play store once they’ve deleted the code. Several are already back online and available for purchase.
Two researchers, Serge Egelman from the International Computer Science Institute at UC Berkeley and Joel Reardon of the University of Calgary, first discovered the SDK and published their findings in a report Wednesday. The report was shared in advance of publication with the Wall Street Journal, Alphabet and the Federal Trade Commission.
The researchers also found that Measurement Systems is tied to Virginia-based Vostrom Holdings Inc., whose Packet Forensics LLC subsidiary works with the federal government on cyberintelligence.
In 2020, Motherboard reported that the U.S. government had purchased precise location data collected through several apps, including Muslim Pro. The ACLU later filed for three years of data purchased by the U.S. government, calling its data collection efforts “a serious threat to privacy and religious freedom.” Lingering fears that Muslims are targeted for data collection still remain, particularly in light of documented surveillance of Muslims by the U.S. government following the Sept. 11 terrorist attacks.
The U.S. Defense Department declined to discuss specifics to the Journal, though it has reportedly admitted previously that it purchases publicly available data for the purposes of national security.
Correction: This story was updated to correct the spelling of Vostrom Holdings Inc. This story was updated April 6, 2022.