Android apps with 45 million installs used data harvesting SDK

[LASER_oneXM]

Content source

https://www.bleepingcomputer.com/news/security/android-apps-with-45-million-installs-used-data-harvesting-sdk/

Mobile malware analysts warn about a set of applications available on the Google Play Store, which collected sensitive user data from over 45 million installs of the apps.
The apps collected this data through a third-party SDK that includes the ability to capture clipboard content, GPS data, email addresses, phone numbers, and even the user's modem router MAC address and network SSID.

This sensitive data could lead to significant privacy risks for the users if misused or leaked due to poor server/database security.
Furthermore, clipboard contents could potentially include very sensitive information, including crypto wallet recovery seeds, passwords, or credit card numbers, which should not be stored in a third-party database.

According to AppCensus, who discovered the use of this SDK, the collected data is bundled and transmitted by the SDK to the domain "mobile.measurelib.com," which appears to be owned by a Panama-based analytics firm named Measurement Systems.

 

[Gandalf_The_Grey]

From that article:

Apps using this SDK
The most popular and downloaded applications found to be using this SDK to send sensitive user data are the following:

• Speed Camera Radar – 10 million installations (phone number, IMEI, router SSID, router MAC address)
• Al-Moazin Lite – 10 million installations (phone number, IMEI, router SSID, router MAC address)
• WiFi Mouse – 10 million installations (router MAC address)
• QR & Barcode Scanner – 5 million installations (phone number, email address, IMEI, GPS data, router SSID, router MAC address)
• Qibla Compass Ramadan 2022 – 5 million installations (GPS data, router SSID, router MAC address)
• Simple weather & clock widget – 1 million installations (phone number, IMEI, router SSID, router MAC address)
• Handcent Next SMS-Text w/MSS – 1 million installations (email address, IMEI, router SSID, router MAC address)
• Smart Kit 360 – 1 million installations (email address, IMEI, router SSID, router MAC address)
• Al Quran mp3 – 50 Reciters & Translation Audio – 1 million installations (GPS data, router SSID, router MAC address)
• Full Quran MP3 – 50+ Languages & Translation Audio – 1 million installations (GPS data, router SSID, router MAC address)
• Audiosdroid Audio Studio DAW – 1 million installations (phone number, IMEI, GPS data, router SSID, router MAC address)

It’s important to note that all of these apps were reported to Google on October 20, 2021, and were subsequently investigated and removed from the Play Store.

However, their publishers managed to reintroduce them on the Play Store after removing the data-harvesting SDK and submitting new, updated versions to Google for review.

If users installed the apps on a previous date, though, the SDK would still be running on their smartphones, so removal and re-installation would be advised in this case.

Unfortunately, as data collection libraries quietly run in the background collecting data, it's difficult for users to protect themselves from them. Therefore, it is advised that you only install apps from trustworthy developers who have a long history of highly reviewed apps.

Another good practice is to keep the number of apps installed on your device at the minimum necessary and ensure that the permissions requested are not overly broad.