Google Removes Apps that stole data from millions of devices

Google Removes Apps from the Play Store, after discovering that included Spyware that stole sensitive information. as collected The Wall Street Journal data collection would be carried out by a company supposed to carry out cyber intelligence tasks for the United States.

The presence of spyware has been detected by the company AppCensus, who published a very detailed report on his blog. He explains how several applications – harmless at first glance and with millions of downloads – include an SDK (library collab.c.coulus) which gathers a very wide range of data from the devices on which they are installed and transmits them to the servers of a company registered in Panama under the name Measurement systems.

After an arduous search, the investigators discovered that the domain of the said company’s website was registered in the name of VOSTROM Holdings; a firm based in Virginia, USA, which also has a few other records under its belt.

According to WSJ said the company would be a defense contractor and would perform cyber intelligence, data interception and network defense tasks for US security agencies. It is even mentioned that the interaction with the authorities would not be done directly, but through a subsidiary called Packet Forensics.

Google Removes Apps that used to collect mass data

One point that has caught the attention of researchers is that the code responsible for collecting information behind users’ backs didn’t work the same in all apps that included it even if they were using the same SDK version.

So, for example, it was detected that an application for using the smartphone as a computer mouse collected and transmitted the MAC address of the router to which the device was connected. This utility has had more than 10 million downloads worldwide.

Another of the applications denounced by Google for containing Spyware was a weather information widget with over a million downloads. AppCensus detected that it could “catch” anything copied to the clipboard and sent it to the Measurement Systems servers. Thus, if users copied a password or any other sensitive data, it would end up in the hands of other people.

And they also met the most extreme cases, such as that of a barcode and QR code reader with more than 5 million downloads from the Google store. This app could collect phone numbers, email addresses, precise device location via GPS, mobile’s IMEI, public name (SSID) of WiFi networks and MAC address of routers it was connected.Apps flagged by AppCensus to Google for including spyware

Logically, we are only mentioning some of the cases observed by specialists. In fact, AppCensus has published a list of the other applications in which the SDK of measurement systems has been detected and its scope is very varied; from applications that alert of the presence of speed cameras on the roads, to messaging platforms, audio tools and guides to pray.

Although this information has been made public in the last few hours, the findings are not new. The researchers informed Google of the presence of this Spyware in October 2021; Since then, those in Mountain View have removed these applications and others in which they also detected the presence of the malicious code.

However, a lockdown may not have a global impact. At the time of writing, we’ve followed some of the Play Store links included in the original report and the apps are still available to install (at least from Argentina).

How did spyware get into apps?

As AppCensus discovered, Measurement Systems brought its malicious SDK to a slew of apps through a monetization program. Through their website, they offered to pay developers higher for their data,” and indicated that it would do so without using ads as it was “an alternative monetization strategy.”

“By signing exclusive contracts with telecommunications companies, marketers and research institutes, we provide our app developers with the highest payouts,” its website reads.

And as one developer said in The Wall Street Journal the main objective of the Panamanian company was to obtain information from users in the countries of the Middle East, Asia and Central and Eastern Europe.

On the other hand, cyber security experts have accessed the tutorial that instructed developers on how to include spyware in their apps. Thus, it is estimated that the code has arrived at no less than 60 million devices.

And although Google removed apps from the Play Store (even regionally), they are surely still installed on millions of mobiles; this will continue to be a problem until it is found that future versions of them will no longer include the spyware.

Measurement Systems Walks Away from the Charges

Measurement Systems has denied any involvement in the espionage activities reported by AppCensus cybersecurity experts. In fact, the company sent a statement to The Wall Street Journal that even denied his relationship with VOSTROM Holdings and Packet Forensics.

“The accusations they are making about the company’s activities are false. Additionally, we are not aware of any connection between our company and US defense contractors, or a company called Vostrom. We also don’t know what Packet Forensics is “or how it relates to our business,” they said.

In any case, the information revealed had its effect. Experts have found that apps stopped collecting and transmitting information after notifying Google of their discovery.

And as if to add to the veil of suspicion, the DNS records for the address used to transmit the collected data to the Measurement Systems server have been updated to point to the non-routable value; while the public WHOIS data of the Panamanian company’s website has also been modified and no longer mentions VOSTROM Holdings.