Google pulls apps that may have harvested data from millions of Android devices

The apps took users' precise location, email, phone numbers and more, researchers said.

NurPhoto via Getty Images

Google has pulled dozens of apps used by millions of users after finding that they covertly harvested data, The Wall Street Journal has reported. Researchers found weather apps, highway radar apps, QR scanners, prayer apps and others containing code that could harvest a user's precise location, email, phone numbers and more. It was made by Measurement Systems, a company that's reportedly linked to a Virginia defense contractor that does cyber-intelligence and more for US national-security agencies. It has denied the allegations.

The code was discovered by researchers Serge Egelman from UC Berkeley and the University of Calgary's Joel Reardon, who disclosed their findings to federal regulators and Google. It can "without a doubt be described as malware," Egelman told the WSJ.

Measurement Systems reportedly paid developers to add their software development kits (SDKs) to apps. The developers would not only be paid, but receive detailed information about their user base. The SDK was present on apps downloaded to at least 60 million mobile devices. One app developer said it was told that the code was collecting data on behalf of ISPs along with financial service and energy companies. Measurement Systems also said it wanted data mainly from the Middle East, Central and Eastern Europe and Asia.

"A database mapping someone’s actual email and phone number to their precise GPS location history is particularly frightening, as it could easily be used to run a service to look up a person’s location history just by knowing their phone number or email, which could be used to target journalists, dissidents, or political rivals," Reardon said in the AppCensus research blog.

Though Google has pulled those apps from the Play Store, the researchers noted that they still exist on millions of devices. At the same time, they found that the SDK stopped collecting user data after their findings were revealed.

The Measurement Systems domain was registered by a company called Volstrom Holdings Inc., which deals with the federal government through a subsidiary called Packet Forensics LLC. A company called Measurement Systems S de R.L. "also listed two holding companies as officers, both of which share a Sterling, Va., address with people affiliated with Volstrom," the WSJ noted.

In a statement, Measurement Systems told the WSJ by email that "the allegations you make about the company’s activities are false. Further, we are not aware of any connections between our company and U.S. defense contractors nor are we aware of… a company called Vostrom. We are also unclear about what Packet Forensics is or how it relates to our company."

This article contains affiliate links; if you click such a link and make a purchase, we may earn a commission.