Google has yanked dozens of apps from its Google Play store after determining that they include a software element that surreptitiously harvests data.
The Panamanian company that wrote the code, Measurement Systems S. de R.L., is linked through corporate records and web registrations to a Virginia defense contractor that does cyberintelligence, network defense, and intelligence-intercept work for U.S. national security agencies.
The code ran on millions of Android devices and has been found inside several Muslim prayer apps that have been downloaded more than 10 million times, as well as a highway-speed-trap detection app, a QR-code reading app, and a number of other popular consumer apps, according to two researchers who discovered the behavior of the code in the course of auditing work they do searching for vulnerabilities in Android apps. They shared their findings with Google, a unit of Alphabet Inc., federal privacy regulators and The Wall Street Journal.
Measurement Systems paid developers around the world to incorporate its code—known as a software development kit, or SDK—into their apps, developers said. Its presence allowed the Panamanian company to surreptitiously collect data from their users, according to Serge Egelman, a researcher at the International Computer Science Institute and the University of California, Berkeley, and Joel Reardon of the University of Calgary.
From The Wall Street Journal
View Full Article